The Capital One data breach was a harsh reminder for financial institutions and their customers that data breaches are an all too common occurrence growing at scale each time the next one hits.
The sheer scope of this incident shows how the fallout from this breach could be unknown for years: “Consumers and small businesses who applied for Capital One credit cards from 2005 through early 2019 are most at risk,” the company revealed.
The mainstream media highlighted the core of what everyone should know about the breach itself:
- No credit card account numbers or log-in credentials were compromised
- A former AWS employee hacked the personal information of approximately 106 million card customers and applicants
- A majority of the exposed data was from customers and small businesses that applied for Capital One credit cards between 2005 and early 2019,
- The breach compromised approximately 140,000 Social Security numbers and 80,000 bank account numbers, along with some credit scores and payment histories.
- Approximately 1 million Social Insurance Numbers were hacked from Canadian customers.
- The initially reported scope is roughly 50 million less impacted people than the Equifax breach in 2017 that exposed the data of nearly 150 million Americans
- The breach occurred in March and was flagged for authorities on July 19 by an “ethical hacker” hired to test network security.
- Capital One estimates the cost of this data breach to be $150 million.
- The breached SSNs were reportedly tokenized, but the remainder of the data wasn’t.
Now for what financial institutions should care about most: What might happen to all that highly sensitive personal data. Although Capital One officials have publicly said they don’t believe the stolen data was used for fraudulent purposes, the hacker had intended to disseminate online. At this point, we still don’t know if/how much data was actually spread online.
The sheer scope of this incident shows how the fallout from this breach could be unknown for years: “Consumers and small businesses who applied for Capital One credit cards from 2005 through early 2019 are most at risk,” the company revealed. If additional hackers get ahold of the stolen information, the following could happen:
- Hackers could apply for credit in the names of the stolen identities. Since they have creditworthy/income data, the hackers have highly valuable information to know which credit applications might actually get approved based on this information.
- There could still be fraud directly related to Capital One cards that are opened fraudulently in the applicants’ names.
- Potential fraudulent account openings using SSNs and other credentials stolen from the breach could cause the true fallout of this breach for years to come.
- New account fraud, digital wallet fraud (Zelle) and takeover fraud are the primary issues that could occur.
- Fraud could occur at other financial institutions with new accounts opened with stolen data.
- No fraud would likely occur on existing Capital One cards or other FIs existing cards because no card info was stolen.
The current breached data should not impact most FIs card portfolios since the breach did not include any client card info (that we know of). To stay proactive from potential fallout from new account fraud, financial institutions should be vigilant in educating their own customers who may be part of this data breach. This includes offering the following advice — particularly for those that have applied for a Capital One Card during the breach time frame.
- Educate Cardholders: Inform impacted cardholders that they should freeze their credit with the credit reporting agencies in order to avoid being victim of new account fraud
- Inform Cardholders About Common Card Fraud Scams: Following these types of major incidents, there may be an uptick in fraudsters contacting customers to gain access to additional personal information to open fraudulent accounts.
- Offer Credit Monitoring: Customers will have better peace of mind knowing the FI is proactively looking out for potential fraudulent incidents.
- Monitor Potential Fraud In Real-Time: Although it doesn’t appear the initial data accessed has been used for fraudulent purposes, that doesn’t mean it won’t be in the future if it gets in the wrong hands. Conduct real-time and weekly monitoring of fraud.
- Follow the fallout of the incident: Fraud can take new shapes and sizes as more data gets exposed to the wrong hands. Just because the initial reports on this incident doesn’t include fraudulent incidents or compromised card fraud, it doesn’t mean this incident can’t evolve into greater problems.
- Ask Customers if They Applied For a Capital One Card: For those customers that did apply for a card during that time, FIs should offer extra monitoring for fraud activity.