Over the past few years, we have seen some of the biggest companies experience data breaches. The companies cover the a majority of the service sector and range from credit monitoring bureaus (Equifax), hotel brands (Marriott), fast food restaurants (Sonic Drive In), and even an airline (Cathay Pacific). On yesterday, Capital One announced it discovered an unauthorized person had gained access to customers’ personal information.
Here is an excerpt from the press release:
Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible and that person is in custody. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.
Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital Oneroutinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:
- Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
- Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
No bank account numbers or Social Security numbers were compromised, other than:
- About 140,000 Social Security numbers of our credit card customers
- About 80,000 linked bank account numbers of our secured credit card customers
For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.
The company also stated that no credit card numbers or log-in credentials were compromised, while only one percent of social security numbers were. Capital One will follow the lead of Equifax and provide free credit monitoring and identity protection to those affected.
While security breaches are a very big deal, I find it fascinating that one person was able to gain access to all of this personal information. Companies need to invest more in security so customers’ information is safeguarded. I fear, at this point, it may be too late.