The Epsilon data breach that saw names and email addresses of millions of Americans become exposed by unauthorized access to the company's system might or might not present a threat financial institutions such as Citigroup, Capital One and JPMorgan Chase, who are clients of the online marketer.
In the near term, if that information is out there and available, it could mean more spam emails and phishing attempts.
"In reality that’s all it is," says Paul Schaus, president of CCG Catalyst consulting group. "So from a bank’s perspective you’re worried about customers getting spam emails or getting phishing emails. Those are the two big issues. It’s not a confidentiality issue."
But if those email addresses and names get out there in lists that can let fraudsters make a correlation between an individual and the place they bank, then it could lead to some well-aimed phishing attacks.
"That’s the big concern," Schaus says. "That’s the area of risk."
However, it takes some work to get there. As Schaus explains, it's two parts: first the customer has to be unaware of the breach and secondly the email has to look so authentic they don't think about it.
"I think from a business perspective, those who are in charge to protect accounts clearly have to do a more vigilant job because they can expect a wave of attack," says Ori Eisen, CEO and founder of fraud prevention and detection provider The 41st Parameter.
Eisen believes that if a bank is doing due diligence to protect from fraud, it'll minimize risk.
"People say the sky is falling," Eisen adds. "However if you do the monitoring day in and day out, regardless of the breach, you should have your risks managed."
Eisen added the Epsilon breach, if it is only names and email addresses, isn't as bad as some of the other recent events, such as the RSA security breach in mid-March. But names and emails correlated with a financial institution could have other, less-direct effects.
"You can do some other things with it as well," he says. "If I know your email, I know a couple of things. In this case I know your name and email and I know you are a customer at a particular bank. I can also try to break into your email."
Shaus qualifies that, with the amount of information readily available, the Epsilon breach -- if it's only names and email addresses that were accessed -- doesn't add much new to the online security scene.
"You’ve got to put this all in perspective," Shaus says. "How many people put their email addresses out there in blogs, or in comments or emails or reviews on Amazon?"
There's a lot of data already on the web.
Eisen warns that the Epsilon breach should, if nothing else, emphasize the importance of proactive account takeover detection.
"You don’t know when an attack will happen," he says. "It could be today, it could be a month from now."
In its email following the breach, Chase made several recommendations to its customers, including:
There's no harm in reminding customers about safe practices online.
"I see a direct correlation between the frequency of security awareness training and the success rate of these email attacks," says Brendan McGowan, director of Consulting Services for Safe Systems. "The most effective countermeasure to phishing emails is user awareness."