With Wikileaks, and the emergence of “Hacktivism” corporations everywhere are finally getting the message that they, and their customer’s data are only as secure as their weakest link. Notably this week we heard of McDonalds’ losing customers emails due to a hack at one of their marketing automation vendors networks. The loss of this information can be fed into phishing and spam systems and could potentially cause serious issues for these customers, not to mention the untold loss of brand equity and revenue for the business.
What is particularly disturbing is that this loss was brought on due to a hack into the networks of marketing automation vendor Silverpop. The FBI reports that data related to 105 customers of Silverpop may have been breached.
Customers of Silverpop such as deviantART, sent an email to their customers warning that their email addresses, user names and birth dates were exposed to suspected spammers. The company has since ceased all ties with Silverpop as noted in this statement “Silverpop Systems, Inc., a leading marketing company that sends email messages for its clients, told us that information was taken from its servers. Because we value the information that members give us, we have decided not to rely on the services of Silverpop in the future and their servers will no longer hold any data from us.”
The losses of data doesn't have to tie directly to a marketing automation vendor, but the risk could be 2nd tier. Walgreens noted last week that they had customer information breached that was then used for Phishing scams. The Register reports Walgreens uses Arc Worldwide as its promotional agency, and Arc is part of Leo Burnet, who by the way is McDonald’s agency of record. Both of these agencies use Silverpop.
As the steward of the brand, these recent events raise some interesting and distributing issues for marketing professionals. I don’t know of too many marketing colleagues who do not use any type of a marketing automation services provider whether it be Silverpop, Marketo, or Eloqua. The reality is that in order to use these services you in effect send your data base to the cloud. So what this really means is your data base is only as secure, as your marketing automation’s vendor security is.
This post is not a hit against Silverpop either, as I doubt that many marketing automation vendors have IT security at top of mid. The reason I say that is that other than Marketo, I didn’t really see any value prop from any vendor related to how secure they keep your data. The other thing you need to realize is that most of these companies do not manage their own security, and may in fact use a 3rd party managed security services provider (MSSP), and that can bring additional and inherent risk.
Have you asked any questions regarding your marketing automation vendor’s security processes? Do they outsource their IT network security management? How do they or their partner secure their network? Do they have a dedicated patching team? How do they audit their partner’s security practices and protocols? Do they guard against insider risk by encrypting their USB sticks, or do they just rely on the increasingly ineffective, and ubiquitous antivirus.
These are now important questions for marketing to ask of its marketing automation vendors. Just imagine yourself typing out an email to your customers notifying them of a loss of their sensitive information. What damage would that cause to your brand equity? What if you’re in the financial or healthcare industry? What additional compliance and litigious risk would an event like this bring to your business?
It’s clear that the IT security posture of your marketing automation vendor is now more related to your brand equity than ever before. Nuff said.