US Congress Demands More Info On Epsilon Breach

Each day, a new company is added to the list of clients affected by the massive data breach at email marketing provider Epsilon. Now, several US senators and House representatives are demanding more details about the magnitude of the breach and how the email thefts are impacting consumers.

US Senator Richard Blumenthal of Connecticut wrote a 6 April letter to the United States Attorney General’s Office noting there may be some consumers still unaware their email addresses may have been stolen.

“While some of Epsilon’s client companies have notified their customers of the breach, other consumers may be unaware that their names, email addresses and other potentially identifying information may be at risk,” wrote Blumenthal.

Sensitive data

Epsilon Data Management, a large email marketing services company with approximately 2,500 clients, disclosed on 1 April that attackers had stolen customer data belonging to several of its clients. While the extent of the breach is still under investigation, the initial list of affected companies included several financial organisations such as JPMorgan Chase, major hotel chains such as Marriott Rewards, and big retailers such as Best Buy.

Since the data stolen did not contain any personal-identifying information, such as Social Security numbers or credit card information, existing state laws requiring breach notifications may not apply in this case. Even so, attackers could use the email addresses to launch phishing attacks to steal more sensitive data such as financial information or login credentials to other sites, industry experts have warned.

“I believe that immediate notification to all customers is vital to protect them – and enable them to protect themselves – from identity theft,” said Blumenthal. Bluementhal recommended Epsilon or its clients pay for financial data security services and credit reports for affected consumers for two years.

US Representatives Mary Bono Mack of California and G.K. Butterfield of North Carolina, the leaders of the House Energy and Commerce panel, wrote their own letter to the chief executive of Alliance Data, Epsilon’s parent company, asking for more details on how many customers were affected and how the breach occurred.

While only about 2 percent of its clients have been affected by the breach, Epsilon is refusing to say exactly how many customer emails were stolen.

Epsilon has said it is still investigating the breach and would apply necessary remedies as they are identified. Alliance Data said in a statement the company was cooperating with law enforcement .

Congressional hearing

Mack and Butterfield also asked for specific details on the timeline of events as well as details as to what the firm has done since then to mitigate the effects of the breach and prevent future incidents. They requested a response no later than 18 April.

A senior adviser to Bono Mack told Politico that a Congressional hearing may possibly address the Epsilon incident.

Senator Al Franken of Minnesota, chairman of the subcommittee on Privacy, Technology and Law, was concerned that Americans had no idea who owned their information and could not do more to protect their data. Franken vowed on 7 April to “do more to protect Americans’ digital information”.