House Lawmakers Want Info About Data Breach – So Do I!

Posted on by Dissent

Earlier today, I noted that Senator Blumenthal had asked Attorney General Holder to open an investigation into the Epsilon breach.

Also today,  some members of the House decided that they wanted some answers, too. Juliana Gruenwald reports:

In a letter Wednesday to Epsilon’s parent company, Alliance Data Systems, the leaders of the Subcommittee on Commerce, Manufacturing and Trade voiced concern that even access to limited data such as a name and e-mail address can lead to identity theft.

“In the simplest fashion, a criminal can easily create a phishing e-mail that could lead an unwitting consumer into financial disaster,” subcommittee Chairwoman Mary Bono Mack, R-Calif., and ranking member G.K. Butterfield, D-N.C., wrote. “With a reported 40 billion marketing e-mails sent a year, the Epsilon breach could potentially impact a historic number of consumers.”

In response, the lawmakers asked for more details by April 18 on the breach and how it might affect consumers.

Some of the information they are seeking include: when Epsilon learned of the breach; when it notified authorities and its corporate customers about the breach; how many companies and consumers were affected; which companies were affected; what information was taken; how did the breach occur; and what steps the company is taking to prevent future intrusions.

Oh please, please, please, add a P.S. to that list of questions to include:

  • Was that Epsilon’s first breach, its second, third…?

And if there was a previous breach (as seems to be a reasonable hypothesis in light of Walgreens’ previous notice to customers):

  • Was this breach via the same means as the previous breach circa November 2010?
  • How many clients – and specifically which clients – did they notify of the 2010 breach?
  • What additional security steps did they take in response to Walgreens’ reported request in December 2010 that they add security protections to prevent a breach like the one Walgreens reported to its customers in December 2010?
  • Epsilon detected the breach on March 30, but when did it actually occur?
  • What other kinds of personal information were on the same server(s) that were compromised?

Read more on National Journal.

You can read the Representatives’ letter to Alliance here.

Category: Breach IncidentsBusiness SectorHackU.S.