Banking: outsourced bank customer data stolen in hack attack

The full scale of the breach is still unfolding. Data belonging to some 50 companies is understood to have been accessed out of a total customer base of some 2,500.

Customers for Epsilon's services include JP Morgan Chase and Capital One.

The target of the hack was not customer account data nor, even, the content of e-mails, it appears. Rather like the persistent attacks on accounts at hotmail.com which steal address books and then spam a user's contacts while faking the sender's name to pretend the mail is from someone the victim knows, the objective here seems to have been to plunder the contact lists of major companies.

For hackers, huge data processors are a valuable target: one hack can give access to data relating to many companies, a great improvement in the risk/effort/reward ratio of trying to get that same information from many sources.

The issue raises a big question mark over the use of cookies - a hot topic for US lawmakers right now. They are debating whether to adopt EU proposals to create strict controls on so-called "tracking cookies" - which are used to trace the movements of a computer (not, of course a specific user unless that computer is in the sole control of one user) across the web. It is the use of tracking cookies that allows the cross-matching of data held in data warehouses to produce targeted advertising and content - and, ironically, marketing e-mails.

In the financial sector, companies are supposed to ensure that outsourcing companies maintain at least as strict controls over personal data as they themselves do. But a series of breaches - including data lost in the mail and staff in outsourcing centres obtaining and selling customer data - have emphasised that this is not always possible.

The Epsilon attack is unlikely to result in anything more than an increase in phishing and fraudulent e-mails to those listed - but of course, these will be targeted and therefore be directed only to customers of the banks, etc. whose data was stolen. Therefore there will be a credibility bonus and that will, without doubt, mean that - in terms of percentages - the results will be better than normal.

For the companies whose data was stolen, that may translate into substantial compensation claims from the victims.