Capital One Financial Corp has announced that more than 100 million people have been impacted by a massive data breach, through which an insider gained access to accounts and credit card applications. Here’s what you should know.

Here’s what was stolen:

• 140,000 U.S. social security numbers
• 1 million Canadian social security numbers
• 80,000 bank account numbers
• Undisclosed number of names, addresses, credit scores, credit limits, balances and other information

In addition, the hacker also gained access to credit scores, limits, balances and payment histories from 23 days during 2016, 2017 and 2018.

Fortunately the hacker did not gain access to any credit card numbers.

Capital One says the majority of jeopardized data is information on consumers and small businesses at the time they applied for credit card products from 2005 through early 2019.

Major Takeaways

Although information is still coming to light, some interesting points to note:

• This appears to have been an “inside job” perpetrated by an employee of AWS, Capital One’s cloud provider – not the result of some third party hacking scheme.
• Per reports, data was encrypted with additional sensitive fields tokenized – in layman’s terms - this makes it tougher for the “bad” guys to read the data
• There was an apparent weakness a firewall which allowed the bad guy remote access.

Most companies today use a cloud provider to address an aspect of its business processes. Although this event should not “scare” you away (indeed, despite the breach, Capital One appears to have taken numerous measures in protecting data and has been relatively transparent in dealing with the breach), this serves as a reminder that you can outsource functionality, but not responsibility.

How do you know if you’re a victim?

Capital One will notify affected individuals through a variety of channels and offer free credit monitoring and identity protection available to all affected.

Here’s how you can protect yourself from future attacks:

Though Capital One believes the information has not been disseminated or used for fraud, it is still crucial to remain vigilant against future attacks.

• Enroll in account text and/or email alerts to keep track of your credit card activity
• Monitor credit cards for unusual or suspicious activity
• If unusual activity is observed, call the number on the back of the credit card
• Bear in mind that phishing emails and calls could come after a breach. Stay vigilant!
• Note that Capital One will not call customers to ask for credit card or account information or social security numbers over the phone. If someone asks you for this via phone, it’s likely a hacker!
• Report suspected phishing activity by forwarding emails to abuse@capitalone.com

Need further guidance on protecting your data? We’re here to help. Contact our Information Security Services Team.