Interview: "TrackUp's first objective is to detect data leaks and warn the base owner"

We welcome today Marion Duchatelet BajeuxMarion, Marketing and Communication Director of Market Espace, in the columns of Badsender! Marion agreed to come and talk to us about TrackUpThis is an email database tracking solution that monitors data leakage and unauthorized use of corporate email databases (by employees or business/technical partners).

The interview

Jonathan Loriaux The objective of TrackUp is to insert witness addresses (trap addresses) in email databases in order to monitor data theft. Today, what is the extent of the problem for French companies? Marion Duchatelet Bajeux We see the scale of the problem every day. Press articles are published daily in the media about hacking and data theft. Advertisers' databases are regularly hacked. We hear a lot about computer hacking. These are hackers who are able to infiltrate computer programs, bypassing software protections in order to detect computer flaws. But there are other types of data theft that occur on a much more recurrent basis and without the basic owner even being aware of it. For example, an employee or ex-employee can export all or part of his or her company's database via a simple USB key. A commercial partner, an agency or a database publisher may very well reuse data outside the existing contractual framework and outside the legal framework for emailing set by the CNIL. Some players, particularly in the field of acquisition emailing, operate with dubious marketing practices: database swaps, failure to respect opt-in, repeated mass mailings. All these bad practices, unfortunately commonplace today, also constitute data theft in the legal sense of the term. JL Do we have any idea of the financial impact of hacking and data theft on businesses? MDB As far as I know, we don't have any figures for data theft, as described above. In all the studies that have been carried out, we tend to talk about the cost of cybercrime, identity theft and phishing. In this context, the latest CSIS (Center for strategic and international studies) study from 2014, says that the total worldwide cost linked to cybercrime is around 327 billion euros, including 110 billion euros for personal data alone. Another IBM/Ponemon study estimates the average consolidated cost of a data theft to be 3.8 million euros for a company. In fact, the impact is not just financial. In the event of theft, press articles are published, creating a bad buzz around the hacked company. This jeopardizes brand awareness. Customer satisfaction declines. Not to mention the drop in business performance and, from an emailing point of view, the deterioration in deliverability and the blocking of campaigns by ISPs. JL In terms of data leakage, is the risk mainly with business partners or internally? MDB : L’outil TrackUp existe depuis 2010. Ce que l’on voit principalement à travers l’ outil, c’est que les risques viennent principalement de l’interne. Ça équivaut à peu près à 50 % des cas identifiés. Ensuite, le deuxième risque vient des partenaires commerciaux, à peu près 35 % des cas. Ensuite 10 % des cas sont liés à un prestataire technologique. La dernière étude de SailPoint montre qu’en France 16% des salariés serait prêt à vendre son mot de passe professionnel, moyennant une contrepartie financière. JL Do companies have a legal obligation to protect themselves against these data leaks? MDB : Legislation on the subject will be applicable from 2018, it will require companies to protect themselves against data leakage or theft. The new regulation says that companies must take organizational and technical measures against hacking. TrackUp is therefore one of the technical tools to guard against data theft. In case of formal notice, sanction, ... the CNIL can be more lenient if the company is well equipped, especially since TrackUp is certified by a court officer. JL Does this mean that the information delivered by the tool is admissible in court? MDB : Exactly. The solution goes through a legal certification process. This is a necessary step if the pirated company wants to take legal action. JL In practice, if I want to deploy a data leakage tracking solution, how does it work? MDB : Il y a une première étape qui consiste à identifier les bases à risques. Est-ce que votre base CRM se situe uniquement en interne ? Est-ce qu’il y a des extraits de fichiers qui sont chez des partenaires commerciaux ? Est-ce qu’il y a aussi des extraits de ma base CRM qui sont chez des prestataires techniques ? On regarde donc où se situent les données personnelles de l’entreprise et comment elles transitent par des tiers pour identifier les risques. Ensuite, un audit des bases de données à protéger est réalisé. On regarde la profondeur de segmentation que comporte la base. L’objectif de cet audit est de voir quels types d’adresses pièges seront créés. Les profils d’adresses pièges créés sont indétectables. L’étape suivante est de certifier les adresses auprès d’un huissier de justice et ensuite, dans la quatrième étape, de les injecter dans les bases qu’on a identifiées comme étant à risque. Enfin, la cinquième étape, elle se fait de façon complètement automatisée et en continu. C’est la surveillance de toutes les campagnes emailing qui tombent sur ces adresses pièges. Les informations de campagnes sont remontées au propriétaire de base. Si une adresse piège reçoit un email provenant d’un expéditeur non autorisé, cela permet de conclure qu’un détournement de données s’est produit et que quelqu’un a la volonté significative d’utiliser frauduleusement les données. Une alerte email est alors déclenchée vers le propriétaire de base pour le prévenir. JL Among the companies that use the system, have any of them filed complaints against partners who stole their data? MDB Yes, it happens. As an example, we have a very large account whose CISO (Information Systems Security Manager) stole a file containing personal information. In this case, he was fired. In another company, an IT manager inserted his former company's customer data into the database. This resulted in dismissal and a suspended prison sentence. In another case, a consultant who worked for a company stole email addresses. However, not all the frauds detected by TrackUp go to court. They are settled out of court. But at least the database owner is aware of the data leaks on his database, he knows the person or company behind the theft and can deal directly with them. JL Today, the system was primarily created to fight against data leakage. Are there other uses for the system that may emerge for uses that were not necessarily originally intended? MDB : The first objective of TrackUp is to detect data leaks and warn the base owner. We quickly saw a benefit to the market as well. TrackUp detects marketing campaigns routed to stolen addresses. This means that Internet users receive commercial emails that they did not want. They are therefore receiving spam. Couldn't we, by approaching anti-spam organizations or ISPs directly, go as far as blocking the campaigns? This would prevent the spread of stolen data in the wild and cut the circuits of exchange and resale of stolen data. So we would be doing our part to help the market fight against this type of spam and to drive out of the market the companies that do not respect the law. JL Compared to the practices of trap addresses that have been in use for many years, particularly in direct marketing, what makes the tool you offer so special? MDB : C’est l’automatisation et la certification du processus. En effet, depuis de très nombreuses années les annonceurs insèrent manuellement des adresses emails pièges dans leur base et surveillent à la main, et comme ils le peuvent, les campagnes emailings reçues. Le processus est assez archaïque, il est donc difficile de tout contrôler, de tout voir. Puis, quand un vol est détecté, il n’y a pas de possibilité de recours juridique. Avec TrackUp, la surveillance est automatisée et en continu, l’intégralité des campagnes emailings est donc contrôlée. Le processus est certifié juridiquement, donc si une fuite de données est détectée, le recours juridique est possible et efficace. De plus, ce ne sont pas uniquement des adresses pièges qui sont créées mais de véritables profils avec une profondeur de segmentation égale à la base et avec des simulations de comportements d’ouvertures et de clics. Retrouvez toutes les infos concernant TrackUp sur https://www.track-up.com/