Last night the Security section of CNET News ran the following report of a breach by Edward Moyer:
Epsilon, which manages e-mail communications for TiVo, JP Morgan Chase, Capital One Financial, US Bank, the Kroger grocery chain, and other clients, said this week that it suffered a security breach that revealed data on some of its clients' customers.
Epsilon, which says it sends 40 billion e-mails annually, released a statement yesterday saying that on March 30 it detected an "unauthroized entry" [sic] into its system that exposed customer names and e-mail addresses. The company said "no other personal identifiable information associated with those names was at risk."
Bloomberg reported that an Epsilon representative would not say how many other clients might be affected, citing an ongoing investigation.
While this is clearly interesting on its own merits, my attention was drawn to Moyer’s account of how some of these businesses reacted when they were informed of the situation by Epsilon. Kroger’s strategy was to use electronic mail to deliver a short message:
Kroger wants to remind you not to open e-mails from senders you do not know. Also, Kroger would never ask you to e-mail personal information such as credit card numbers or social security numbers. If you receive such a request, it did not come from Kroger and should be deleted.
While this does not say anything that readers should not know, it provides a useful reminder through the very channel that had been placed at risk. This amounts of a vote of confidence in Epsilon’s statement and their approach to managing electronic mail. It is also likely to be seen by those who matter the most.
This strikes me as a far better understanding of “customer relationship management” than the actions of Chase and Capital One, each of which simply posted the information on their respective Web sites. Chase did a relatively poor job of directing attention. The notice is on the home page in the form: “Please read important message to all Chase customers LEARN MORE.” Most critical is that this summary should have been more informative. Many (probably myself included) would view this with suspicion as being just another pitch to sell something. In my case, though, I would never see the message, since, as a Chase customer, I tend to go directly to the My Accounts page. Not only is there no notice of the problem on that page, but also there is not a message in the internal Secure Message Center alerting me that a problem may exist. Capital One, however, turned out to be even worse, since they do not even provide a pointer to their message on their home page.
It seems to me that the main conclusion to draw from this comparison is that Kroger gave more thought to communicating with their customers than either Chase or Capital One did. One reason may be that Kroger has to deal with its customers as grocery shoppers on a week-by-week basis, if not with greater frequency. The financial sector, on the other hand, does not think about engaging with customers with such frequency. As a corollary this means that businesses in the financial sector “understand” (scare quotes intended) their customers by analyzing databases, while Kroger’s may actually try to establish understanding through engagement on the floor of their outlets. I would further suggest that Capital One, in particular, seems to feel that it is important to invest its resources in advertising to bring in more customers than in engaging in any meaningful way with the customers it already has (perhaps because they think of engagement in terms of selling more stuff rather than providing the services associated with that stuff). This may be yet another lens through which we can examine the state of our current economic problems and our prospects for recovery.