Senator Blumenthal Requests Investigation Into Epsilon Security Breach

(Washington, DC) – Senator Richard Blumenthal (D-CT) today wrote to U.S. Attorney General Eric Holder to request that the Department of Justice investigate reports of a security breach involving personal data controlled by Epsilon, an internet email marketing firm.

“Consumers deserve more complete information on the data breach, as well as the assurance that their personal financial information will be securely maintained,” wrote Blumenthal. “If personal financial information has been compromised as a result of this incident, Epsilon should be required to provide written notification of the breach, specific information about the data that may have been improperly accessed by third parties, and personal information security protection, including free access to credit reporting services, and insurance for two years.” 

On April 1, 2011, it was reported by Epsilon that the company had incurred a security data breach of its database of customer names and email addresses which it collects from various companies including many retail and financial firms.  Epsilon uses this database to sell its marketing services to more than 2,500 clients.   

The Better Business Bureau reported that the breach could impact consumers that use banks and retailers. The release of contact information including names and email addresses would allow scammers to seek financial and identification information from consumers including social security numbers, credit card numbers or banking accounts.

Blumenthal also plans to contact Epsilon directly to make similar requests.

The text of the letter that was sent

 

April 6, 2011

 

 

The Honorable Eric H. Holder, Jr.

Attorney General of the United States

United States Department of Justice

950 Pennsylvania Avenue, NW

Washington, DC  20530-0001

 

Dear Mr. Attorney General:

            I am writing to formally request an expedited investigation into possible civil and criminal liability, and to highlight key issues to consider in the course of that investigation, concerning recent reports of a major data security breach involving Epsilon, an internet email marketing firm.

            On April 1, 2011, Epsilon reported that it had experienced a security breach of its database of customer names and email addresses which it collects from various companies, including many retail and financial firms.  The company has not specified how many consumers have been affected by the security breach.  Epsilon has not provided a list of companies affected.  While some of Epsilon’s client companies have notified their customers of the breach, other consumers may be unaware that their names, email addresses and other potentially identifying information may be at risk.

I believe that immediate notification to all customers is vital to protect them – and enable them to protect themselves – from identity theft.  Despite claims by Epsilon that only the names and email addresses of individuals may have been compromised by this security breach, I ask that your review of this incident determine whether individually identifiable financial information has been compromised.  Names and email addresses would allow unscrupulous actors to send emails to consumers – ostensibly from the retailers which whom the consumer does business – seeking private financial information such as credit card numbers or checking or banking accounts. 

I believe that affected individuals should be notified and provided with financial data security services, including free access to credit reporting services, for two years, the costs of which should be borne by Epsilon or its affected clients.  I believe it is also necessary to provide every affected individual with sufficient insurance to protect them against possible financial consequences of identity theft. 

            Consumers deserve more complete information on the data breach, as well as the assurance that their personal financial information will be securely maintained.  If personal financial information has been compromised as a result of this incident, Epsilon should be required to provide written notification of the breach, specific information about the data that may have been improperly accessed by third parties, and personal information security protection, including free access to credit reporting services, and insurance for two years. 

            Thank you for your attention to this important issue and for your continued work on behalf of the American public. 

 

Sincerely,

 

 

Richard Blumenthal

United States Senate

 

###