Senator: U.S. Should Investigate Criminal, Civil Sanctions AgainstEpsilon

Sen. Richard Blumenthal (D-Conn.) wants U.S. Attorney General Eric Holder to look into filing civil and criminal charges against Epsilon, the commercial email and direct-marketing firm involved in last weekend's huge data breach.

Blumenthal also says Epsilon should be required to immediately notify all customers potentially affected by the breach, which is likely to lead to "phishing" expeditions, in which criminals send official-looking emails asking consumers to confirm their personal data, which then falls into the hands of the criminals.

“Consumers deserve more complete information on the data breach, as well as the assurance that their personal financial information will be securely maintained,” wrote Blumenthal. “If personal financial information has been compromised as a result of this incident, Epsilon should be required to provide written notification of the breach, specific information about the data that may have been improperly accessed by third parties, and personal information security protection, including free access to credit reporting services, and insurance for two years.” 

Epsilon sends millions of emails for major firms including Citibank, Best Buy, Target and Capital One. Hackers broke into its database last weekend and stole millions of consumers' names and email addresses.

"The company has not specified how many consumers have been affected by the security breach," Blumenthal said in his letter to Holder. "Epsilon has not provided a list of companies affected.  While some of Epsilon’s client companies have notified their customers of the breach, other consumers may be unaware that their names, email addresses and other potentially identifying information may be at risk."

Tepid warnings

As ConsumerAffairs.com reported yesterday, even consumers who have been notified may not realize the danger they face. Many of the warnings sent by Epsilon client companies have been tepid and have not emphasized the dangers consumers face now that their email addresses and names are known to criminals.

For example, Ameriprise, a financial services firm that manages investments for 2.8 million clients, sent an email that said: "Epsilon sends marketing and service emails on our behalf but does not have access to sensitive client data such as social security numbers. They have assured us that only names and email addresses were obtained. We take your privacy very seriously and want you to be aware of this."

Assuming it is true that only names and email addresses were stolen, that is still a very valuable starting point for criminals, online security experts noted. Just the ability to match full names and email addresses gives scam artists a headstart on chipping away at the rest of an individual's private information.

Once the information has been compromised, it is likely to be widely distributed in the black market and used by numerous scam artists for many years to come.

Blumenthal thinks consumers deserve more complete information and assurance that their information will be securely maintained in the future.

"If personal financial information has been compromised as a result of this incident, Epsilon should be required to provide written notification of the breach, specific information about the data that may have been improperly accessed by third parties, and personal information security protection, including free access to credit reporting services, and insurance for two years," his letter concluded said. 

Epsilon reassurance

For its part, Epsilon said again yesterday that the breach involved only names and email addresses and said it was working with federal officials to investigate the incident.

"We are extremely regretful that this incident has impacted a portion of Epsilon's clients and their customers. We take consumer privacy very seriously and work diligently to protect customer information," said Bryan J. Kennedy, president of Epsilon. "We apologize for the inconvenience that this matter has caused consumers and for the potential unsolicited emails that may occur as a result of this incident. We are taking immediate action to develop corrective measures intended to restore client confidence in our business and in turn regain their customers' confidence."