Like a lot of you, this week I received several messages telling me my e-mail address had been stolen from a company called Epsilon that provides mass e-mail services to many giant corporations. At the end of this post you’ll find what I believe is the latest list of companies affected. I have heard from four of these companies so far — Best Buy, Chase, Hilton, and Ritz-Carlton, which is interesting because I don’t recall having even stayed at a Ritz-Carlton. From a look at the master list below I’m surprised I haven’t yet heard from Verizon, where I am also a customer. The point of this post isn’t just to print a list of Epsilon customers, but to say how screwed-up and perilous this event is for everyone involved including you and me. Heads should be rolling and there is no evidence yet that they are.
Epsilon, which has millions of consumer e-mail addresses and associated names, was hacked, losing some unstated number of customer files probably numbering in the millions. The affected companies have sent very earnest messages notifying us, expressing hopes that the damage is limited, but urging us to be on the lookout for bad guys messing with our ID’s. What they aren’t saying yet is this: “Epsilon screwed-up so we’re firing their sorry asses and suing them back to the stone age. ”
If Epsilon made such a huge mistake they should be punished. If they are being punished we, as the truly affected parties, should be told that is the case. Better, still, we should be compensated for our inconvenience. This is not business as usual. This is a huge steaming mess. Polite e-mail messages that say almost nothing are not an adequate response.
Here’s why I feel this way and you should too:
This stolen data will be used is for phishing attacks, which is what the companies are warning us to be on the look for. There will be such attacks and telling us to be on our guard won’t stop them from being successful to some degree. It is in my view a woefully inadequate response. Remember these bad guys have a lot of data on us — the name of the company with which we are doing business, our names (in most cases), and our e-mail addresses.
No matter what spin the companies put on it this is huge. Consumers will be compromised and losses in the millions — maybe tens of millions — will be incurred. And I don’t care if the banks say they’ll cover the losses, that never happens gracefully, at least not for me.
People who opted-out with these companies were also exposed. So it isn’t just customers but also former customers and non-customers whose information was stolen. What is the legal exposure there? It’s an issue I haven’t seen discussed anywhere.
What if the bad guys start sending mail to the opt-out people (you know they will) and by doing so cause the affected companies to violate the CAN-Spam Act of 2003? That can cost $16,000 per violation.
But hey, this is a case of simple theft and Hilton can’t be held responsible, can it? It isn’t clear.
Here’s what the Federal Trade Commission says: “The law makes clear that even if you hire another company to handle your email marketing, you can’t contract away your legal responsibility to comply with the law. Both the company whose product is promoted in the message and the company that actually sends the message may be held legally responsible. ”
That’s a giant class action lawsuit just waiting to be filed.
But wait, there’s more! Any company that accepts credit cards can be subject to a security audit. Will these companies listed below pass their next such audit? On the face of it they shouldn’t because their systems have been compromised. Blaming Epsilon doesn’t change that because, as in the FTC example above, the companies can’t simply delegate responsibility. And I sincerely doubt that Epsilon or its parent, Alliance Data Systems, is in a financial position to indemnify all those companies.
Again you might say this is an over-reaction on my part, that cooler heads will prevail. Maybe so, but the ugly truth here that isn’t being addressed is that some — maybe many — of these companies could be hiding a multitude of security sins that would come to light in such an audit. Do they really want to let anyone who knows what they are doing have a close look at systems that may be antiquated or even non-existent?
If this Epsilon mess causes a rash of credit card claims and chargebacks that trigger automatic security audits, then even if the Epsilon event itself is explained-away a lot of these companies will still be in trouble.
The worst part of all, though, is that nobody in this mess is on our side, nobody. Apparently we’re not too big to fail.
Here is what I understand to be the current list of affected companies:
Air Miles CA
Barclays Bank of Delaware
Bebe Stores Inc.
The College Board
Food 4 Less
The Home Shopping Network
JP Morgan Chase
Marks & Spencer (UK)
New York & Co.
Red Roof Inns Inc.
Viking River Cruises
World Financial Network National Bank