The single biggest news item in email marketing this month is--and will likely continue to be--the major data breach that occurred with the email validation firm Verifications.io. The industry as a whole is talking about it, and of course at Site Impact we are appalled; security is a major concern in our business and we are always looking for ways to enhance it. The situation is a learning experience for the industry and is an important reminder never to slack off when it comes to data security.
The short version of the series of events is that security researchers Bob Diachenko and Vinny Troia discovered an unprotected, publicly accessible database containing 150 gb of detailed marketing data in plaintext, including 763 million unique email addresses. The email addresses alone would be a bad thing to keep publicly accessible--but the records include much more, such as “business intelligence” data (employee and revenue figures from various companies), individual consumer data, and more. A breach of this nature is close to catastrophic; it undermines a crucial element of the email marketing industry.
Verification/validation firms are a necessary part of the email marketing machine. While many email agencies offer the service of verifying the validity of email addresses in-house, the process comes down to essentially spamming consumers--sending out massive batches of emails to confirm that every address listed is actually able to receive email. That is a risk that many agencies and brands are unwilling to take for the obvious reason that it could negatively impact the deliverability of their campaigns.
The breach is serious in no small part because, being publicly accessible, it’s impossible to know whether the information has already been accessed, or by whom. The security researchers went public with the fact of the exposure precisely because it’s important for everyone whose information was contained in the database to know about it.
Anyone whose information was contained in the database should have received an email notifying them, or should receive one shortly letting them know. Of course, this is just the beginning of a lengthy and very complex process that the companies involved--not just Verifications.io--will be going through in coming days, weeks, and months. Security has to be reestablished by everyone affected, which takes time, and of course there is the cost of losing confidence in that security.
But for the industry as a whole, the situation teaches a very, very important lesson: security at each and every level is absolutely vital, and compromises for the sake of convenience or expediency are bound to lead to trouble. It’s almost certain that decisions were made leading to this particular breach on the basis of making something simpler, or easier to do; and that doomed Verifications.io and put many of its partners in the hot seat as well. For the email marketing industry, this incident is a reminder that cutting corners always comes back to bite you--better to spend a little extra time making sure everything is secure, even at the risk of things being a bit more complicated at times, than to open things up to the possibility of a major data breach. Contact Site Impact to learn how we go above and beyond in making sure that security comes first.