Following my earlier post on the two email security breaches at trusted brands that have my email address data, it seems that bad news really does come in threes. McKinsey Quarterly is the latest to write to me over the weekend to tell me about my name and email address becoming “exposed”.
Here’s the email I received:
Important information from McKinsey Quarterly
We have been informed by our e-mail service provider, Epsilon, that your e-mail address was exposed by unauthorized entry into their system. Epsilon sends e-mails on our behalf to McKinsey Quarterly users who have opted to receive e-mail communications from us.
We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information. We are actively working to confirm this. We do not store any credit card numbers, social security numbers, or other personally identifiable information of our users, so we can assure you that no such information was accessed.
Please note, it is possible you may receive spam e-mail messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. Also know that McKinsey Quarterly will not send you e-mails asking for your credit card number, social security number or other personally identifiable information. So if you are ever asked for this information, you can be confident it is not from McKinsey.
We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.
If you have any questions or concerns, please contact McKinsey Quarterly at firstname.lastname@example.org. For any media inquiries, please contact Humphrey Rolleston at +1-212-415-5321.
Senior Managing Editor
McKinsey & Company
How can businesses make this bad news land better?
As discussed in my previous post, businesses need to be open, honest and complete from the outset. Customers have the right to know EXACTLY what happened to their data, why it happened, and to be told what steps have been taken to ensure that the risk of it happening again has been minimised.
And when they do so, please use plain English- “Exposed by unauthorised entry” means nothing, and gives me no confidence that this can’t happen again:
- Did a rogue employee leave a USB stick on the bus? If so, tell me.
- Did someone hack into your systems? If so, tell me.
- Have law enforcement been informed? If so/not, why?
- And most importantly, what are you doing to make sure the chances of this happening again have been mitigated?
Where will this end?
If these high-profile ‘breaches’, ‘exposures’ and ‘compromises’ continue, then the foundation of permission-based marketing will be rapidly eroded- trust.
I trust brands to look after my data responsibly. I hold them accountable for keeping this safe, including any arrangement they have with any 3rd party supplier. So when something goes wrong, don’t I have the right to be reassured that it won’t happen again? If not legislatively, then morally?
“Trust is like a vase…once it’s broken, though you can fix it, the vase will never be the same again”