We welcome today Marion Duchatelet BajeuxMarion, Marketing and Communication Director of Market Espace, in the columns of Badsender! Marion agreed to come and talk to us about TrackUpThis is an email database tracking solution that monitors data leakage and unauthorized use of corporate email databases (by employees or business/technical partners).
The interview
Jonathan Loriaux The objective of TrackUp is to insert witness addresses (trap addresses) in email databases in order to monitor data theft. Today, what is the extent of the problem for French companies?
Marion Duchatelet Bajeux The scope of the problem is something we see every day. Press articles are published daily in the media about hacking, data theft. Advertisers' databases are regularly hacked. We hear a lot about computer hacking. These are hackers who are able to infiltrate computer programs, to bypass software protections in order to detect computer flaws.
But there are other types of data theft that occur much more frequently and without the database owner even being aware of it. For example, an employee or ex-employee can export all or part of the company's database via a simple USB key. A commercial partner, an agency or a database editor can very well reuse data outside the existing contractual framework and outside the legal framework of emailing set by the CNIL. Some actors, especially in the field of acquisition emailing, operate with dubious marketing practices: database exchanges, non-respect of the opt-in, massive and repeated sending. All these bad practices, unfortunately commonplace today, also constitute data theft in the legal sense of the term.
JL Do we have any idea of the financial impact of hacking and data theft on businesses?
MDB To my knowledge, we don't have any figures on the data theft part as I just described above. In all the studies that are done, we rather talk about the cost related to cyber crime, identity theft and phishing. In this context, the latest study by CSIS (Center for strategic and international studies) from 2014, says that the total worldwide cost related to cybercrime is about 327 billion euros, of which 110 billion euros is for personal data alone. Another IBM/Ponemon study estimates the average consolidated cost of a data theft to a company at €3.8 million.
In fact, the impact is not only financial. In case of theft, press articles are published and create a bad buzz around the hacked company. This jeopardizes the brand's reputation. Customer satisfaction decreases. Not to mention the drop in business performance and, from an emailing point of view, the degradation of deliverability and the blocking of campaigns by ISPs.
JL In terms of data leakage, is the risk mainly with business partners or internally?
MDB The TrackUp tool has been in existence since 2010. What we see mainly through the tool is that the risks come mainly from within. That's about 50 % of the cases identified. Then the second risk comes from business partners, about 35 % of the cases. Then 10 % of the cases are related to a technology provider.
The latest SailPoint study shows that 16% of employees in France would be willing to sell their work password for a fee.
JL Do companies have a legal obligation to protect themselves against these data leaks?
MDB : Legislation on the subject will be applicable from 2018, it will require companies to protect themselves against data leakage or theft. The new regulation says that companies must take organizational and technical measures against hacking. TrackUp is therefore one of the technical tools to guard against data theft. In case of formal notice, sanction, ... the CNIL can be more lenient if the company is well equipped, especially since TrackUp is certified by a court officer.
JL Does this mean that the information delivered by the tool is admissible in court?
MDB : Exactly. The solution goes through a legal certification process. This is a necessary step if the pirated company wants to take legal action.
Need help?
Reading content isn't everything. The best way is to talk to us.
JL In practice, if I want to deploy a data leakage tracking solution, how does it work?
MDB The first step is to identify the databases at risk. Is your CRM database located only internally? Are there extracts from files held by business partners? Are there also extracts from my CRM database that are held by technical service providers? So we look at where the company's personal data is located and how it is transmitted through third parties to identify the risks.
Then, an audit of the databases to be protected is performed. We look at the segmentation depth of the database. The objective of this audit is to see what types of trap addresses will be created. The trap address profiles created are undetectable.
The next step is to certify the addresses with a bailiff and then, in the fourth step, to inject them into the databases that we have identified as being at risk.
Finally, the fifth step is done in a completely automated and continuous way. It is the monitoring of all the emailing campaigns that fall on these trap addresses. The campaign information is sent back to the base owner. If a trap address receives an email from an unauthorized sender, it can be concluded that a data hijacking has occurred and that someone has the significant will to use the data fraudulently.
An email alert is then triggered to the base owner to notify him.
JL Among the companies that use the system, have any of them filed complaints against partners who stole their data?
MDB Yes, it happens. As an example, we have a very large account whose CISO (Information Systems Security Manager) stole a file containing personal information. In this case, he was fired. In another company, an IT manager inserted his former company's customer data into the database. This resulted in dismissal and a suspended prison sentence. In another case, a consultant who worked for a company stole email addresses. However, not all the frauds detected by TrackUp go to court. They are settled out of court. But at least the database owner is aware of the data leaks on his database, he knows the person or company behind the theft and can deal directly with them.
JL Today, the system was primarily created to fight against data leakage. Are there other uses for the system that may emerge for uses that were not necessarily originally intended?
MDB : The first objective of TrackUp is to detect data leaks and warn the base owner. We quickly saw a benefit to the market as well. TrackUp detects marketing campaigns routed to stolen addresses. This means that Internet users receive commercial emails that they did not want. They are therefore receiving spam. Couldn't we, by approaching anti-spam organizations or ISPs directly, go as far as blocking the campaigns? This would prevent the spread of stolen data in the wild and cut the circuits of exchange and resale of stolen data. So we would be doing our part to help the market fight against this type of spam and to drive out of the market the companies that do not respect the law.
JL Compared to the practices of trap addresses that have been in use for many years, particularly in direct marketing, what makes the tool you offer so special?
MDB It is the automation and certification of the process. Indeed, for many years advertisers have been manually inserting trap email addresses into their database and monitoring by hand, and as they can, the email campaigns received. The process is quite archaic, so it is difficult to control everything, to see everything. Then, when a theft is detected, there is no possibility of legal recourse. With TrackUp, the monitoring is automated and continuous, so the entire email campaign is controlled. The process is legally certified, so if a data leak is detected, legal recourse is possible and effective. Moreover, it is not only trap addresses that are created but real profiles with a segmentation depth equal to the base and with simulations of opening and clicking behaviors.
Find all the information about TrackUp on https://www.track-up.com/
