Last week, the global jewelry brand Pandora confirmed a data breach that should serve as a wake-up call for every email marketer. While the headlines have focused on the more widespread Salesforce-related attacks plaguing the industry, Pandora’s breach of an inactive, “legacy” marketing list highlights a separate and equally critical vulnerability: the forgotten data in your system.
A Tale of Two Breaches?
Pandora’s recent cyber incident is a complex case. On one hand, multiple sources, including BleepingComputer and Infosecurity Magazine, have confirmed that Pandora was one of many high-profile companies, including Chanel and Adidas, to have customer data stolen from their Salesforce environments. This campaign, attributed to the ShinyHunters group, leveraged sophisticated social engineering to gain unauthorized access to customer relationship management (CRM) databases, exposing customer names, birthdates, and email addresses.
However, a different, parallel incident brought to light by SentryBay and others exposed a distinct, and arguably more insidious, problem. In this case, approximately 30,000 customers had their personal data, including names, email addresses, phone numbers, postal addresses, and birth dates – exposed from an unencrypted “legacy” marketing list. This was not a list in active use, but rather one that had been retained by a third-party marketing partner.
The Email Marketer’s Takeaway
While the Salesforce breach points to the need for stricter access controls and multi-factor authentication for critical platforms, the legacy data breach is a potent reminder of a different kind of risk. For the email marketing and deliverability community, this incident underscores several key lessons:
- The Perils of Outdated Data: Your “old” or “inactive” lists are not harmless. They are ticking time bombs of personally identifiable information (PII) that, if left unmanaged and unsecured, can become a significant liability. Data minimization—the principle of only collecting and retaining the data you truly need—is not just a compliance best practice, it’s a security imperative.
- Third-Party Vendor Vetting is Non-Negotiable: Pandora’s breach originated with a third-party partner. How carefully are you vetting your marketing vendors? Do your contracts include strict security clauses? Are you confident in their data handling and encryption practices, especially for data that is no longer in active use?
- The Domino Effect on Deliverability: A data breach can have a long-lasting impact on your email program. Compromised email addresses from a legacy list can be used for phishing attacks, which can lead to a surge in spam complaints, damaging your sender reputation. Deliverability teams must be on high alert and have a plan in place to handle the fallout, including potential blacklistings and a decline in inbox placement.
- Regulatory Scrutiny is Real: Pandora reported the incident to the UK’s Information Commissioner’s Office and Ireland’s Data Protection Commission. This is a clear signal that regulators are paying close attention to data breaches, even those involving older data. The penalties for non-compliance with data protection regulations like GDPR can be severe, and ignorance is no defense.
Proactive Steps to Secure Your Data
So, what should you do?
- Audit Your Data: Immediately review all of your marketing lists. Identify and securely delete any legacy or inactive data that you are no longer using and have no legal reason to retain.
- Enhance Vendor Contracts: Strengthen your contracts with third-party vendors. Demand transparency about their security practices and data retention policies.
- Communicate Clearly: In the event of a breach, a clear, prompt, and honest communication strategy is essential to maintaining trust with your customers and regulators.
Pandora’s experience demonstrates that in the world of email marketing, every piece of data—even the forgotten stuff—carries a risk. By proactively addressing the security of all your customer data, you can protect not only your brand’s reputation but also your critical email program.
