Mailchimp Hack Shows Why Your ESP Shouldn’t Store Your Data

Apr 05, 2022
Jeff Haws

The Mailchimp hack this week in which hackers used an internal tool to steal data from 100+ Mailchimp clients and put that data to use in phishing attacks on cryptocurrency services users could be yet another reminder to brands that trusting anyone to store your sensitive customer data is playing with fire. Some of them will tell you that they’ve never experienced a data breach, but Mailchimp’s experience — along with similar recent breaches at Hubspot and ActiveCampaign — shows it can happen at any time.

At the end of the day, the only way to maintain control over your own data security is to keep it — including copies of it — behind your firewall at all times. That means making your data warehouse the center of your marketing strategy, and ensuring the tools you use connect directly into it for you to use it for marketing purposes. Every time you copy data and ship it out to your ESP’s cloud, you’re risking the next ESP breach will involve your customers. Our platform was built with the intent of putting an end to that problem. Here’s why allowing your data to be stored anywhere other than in your own database is incredibly risky.

You lose control of your data

The fact is your data is never safer than when it’s behind your firewall. Every time you move data out to your ESP’s marketing cloud, the chances of a catastrophic breach increase. Once it’s out there, its security is essentially beyond your control. If your ESP’s security is compromised, your data that’s stored there may very well be too. And even if that happens and you end up safe, the perception from your customers could be negative if they know you use that marketing cloud ESP.

One of the reasons you invested in a consolidated database in the first place was security, and a direct connection to it enables you to keep the data your customers trust you with as safe as it can possibly be. No matter how secure your ESP may seem, trusting them with your customer data is a leap of faith. And it’s one that, in many cases, your I.T. team isn’t going to allow, especially when it comes to your most sensitive PII. With a direct connection and KMS encryption technology, though, you can meet even the most stringent security requirements.

Excuses don’t matter

If and when your ESP suffers a data breach, you’re welcome internally to place the blame squarely on them for allowing that to happen. They can get on their hands and knees, telling you about everything they’re doing to strengthen protections that were already in place, along with new ones they’re instituting to ensure — as well as they can, anyway — that this won’t happen again.

But what your customers are going to remember is they trusted you with their data, and then they found out that you weren’t worthy of that trust. In the Mailchimp hack, The Verge writes that “the attackers focused on obtaining data from users in the cryptocurrency and finance sectors.” There are few industries where trust is more important than in the financial world. You’re going to be the one who has to go back to them and explain why their sensitive data wasn’t as safe as you had assured them it was, and what you’re going to do to secure it going forward. You’ll lose customers, without any doubt. You can blame the Mailchimp hack all you want, but customers aren’t likely to shrug that off.

Partnering with a customer engagement platform that allows you to connect directly to your database can help you prevent all these problems from the outset.

The aftermath is messy

If your ESP suffers a data breach that impacts your customers, not only do you have to beg their forgiveness, but it can be difficult to even know what to tell them. All you have to pass along to them is what your ESP tells you they’re doing, but can you or your customers be confident that they’re taking the right actions to prevent the next attack? Or that they’ve got the right people in place to do it effectively? It’s all more faith.

You could also try to change ESPs, but that’s not something you can do overnight. You still need to get emails out the door. That’s why you signed on with them in the first place. Before you can move on, you need a new provider. Onboarding takes time. Your data is all tangled up in their cloud. In the short to medium term, you’re stuck.

On the other hand, if a data breach happened to you specifically, at least you can make all the decisions about what needs to be done. You can oversee the entire process, ensuring the right steps are taken to strengthen your protections for the next hack attempt. And you can explain these steps to your customers in full detail, with confidence they’re being undertaken with professionalism and care.

Having your data both secure and accessible to your marketing team is possible with the right messaging platform. Let’s talk about how we can help you do it, like so many of the world’s biggest brands already have.

About the Author

Jeff Haws

As MessageGears’ Senior Marketing Manager, Jeff is focused on producing engaging and thoughtful content that resonates with enterprise marketers, helping them to better understand how MessageGears makes their jobs easier. He’s passionate about understanding the way data impacts messaging, and he’s also hopelessly obsessed with baseball.