Security Incident at Ad-Tech Platform Sizmek Affects Publicis Media

Separate events this week highlight ongoing platform policing issues

Suitors have been lining up, according to sources. Getty Images

Top ad-tech platform Sizmek recently addressed the concerns of media agencies that use its demand-side platform after a flare-up highlighted some of the security measures inherent to the field.

The incident arose after a system update in February led to a situation in which audience segments Publicis Media uses to target its own clients’ ads were left exposed, meaning other parties on the platform could theoretically target against them. The segments were very general, with one example reading, “Males > All Audiences & Pixels > Branded Data > SirData > Demographic > Males.”

Three days after this story initially ran, IPG Mediabrands disputed the claim, made by a source with direct knowledge of the incident, that it had also been affected. Representatives previously declined to comment.

Publicis Media first noticed the flaw then contacted Sizmek. The ad-tech company told Adweek the matter was resolved within 10 hours, and this week, it published the memo sent to clients in response on its blog under the heading “inadvertent segment descriptor disclosure.”

In a subsequent interview, Sizmek CEO Mark Grether stressed that no personally identifiable information became available to third parties as part of this disclosure—such data cannot be stored on the platform—and that no media buys were made against the inadvertently exposed data.

“In theory, it could have happened,” Grether said, “if you look at the thousands of segments and then use the segment descriptor, which you have no clue what it actually stands for—but yes, it could have happened.”

Grether added, “As soon as we found out about it, we corrected the wrong assignment of the segments. … We also solved the protocol issue, which is why this issue cannot be replicated.”

In a statement, Publicis Media wrote, “We take our clients’ confidentiality very seriously and expect all ad tech providers to do the same.”

“Sizmek quickly addressed the matter and we pushed for further reassurance from them to ensure nothing like this happens again in the future,” the statement continued. “We expect everyone in the ad ecosystem to implement appropriate physical, technical and administrative safeguards.”

Potential preventative measures

Robert Webster, CEO of Canton Marketing Solutions, explained some of the issues that could potentially have gone wrong.

If someone had “stolen” the segments in question, they could have extracted the insights and used them to second-guess the advertiser’s data strategy, according to Webster.

“From what I’ve seen, it’s still bad, but it’s not that bad,” he said, adding, “There should be protocols in place to make this impossible.”

Webster recommended a two-step “double-lock” permissions system to prevent sensitive information from being shared on the open market.

“Another thing to look out for is whether things like permissions get overwritten when you move from one server to another [a process that created serious issues for Facebook earlier this week],” he said. “The ideal is for the default to be private in case there is ever a mistake [in the migration].”

Heightened security concerns

News of the February glitch emerged the same week as separate claims of a security breach involving Russian hackers attempting to resell access to Sizmek user accounts, opening the potential for nefarious activity such as the injection of malicious code into the ecosystem. The company is likewise moving to remedy that situation.

Kevin Mannion, chief strategy officer at research outfit Advertiser Perceptions, said matters of privacy—in terms of both consumer personally identifiable information and client data—have grown so prominent that his firm will add them to the key assessment criteria for its upcoming Programmatic Intelligence report.

He did, however, say it is “not a DSP issue, per se.”

Commenting on the earlier incident, Joanna O’Connell, vp and principal analyst at Forrester, noted, “The real challenge here may be a perception one for Sizmek, who’s been buffeted lately by bad news and who may find itself being forced to operate defensively rather than offensively, as a result.”

Sizmek has had a challenging start to the year, with AdExchanger reporting the company missed its 2018 revenue targets.

It recently acquired various assets, including an ad server, data management platform and the AI-powered DSP Rocket Fuel in an attempt to offer an independent alternative to Google’s ad stack. Market sources indicated Sizmek’s private equity backers, which include Vector Capital and Cerberus Capital Management, sought sale options but aren’t willing to consider a piecemeal sale.

@ronan_shields Ronan Shields is a programmatic reporter at Adweek, focusing on ad-tech.
@PatrickCoffee Patrick Coffee is a senior editor for Adweek.