Capital One Experiences A Capital Sized Data Breach

It’s all over the news this week. There was another data breach and if the numbers being reported are correct, it’s likely going to turn out to be one of the largest ones of this year. A very unsavvy “hacker” has been taken into custody for illegally obtaining data of over 106 million Capital One credit requestors in the United States and Canada. The data included some Social Security Numbers (SSN), self-reported income, names, addresses, birthdates, social insurance numbers for Canadians and any other information that would typically be found on a credit application.

The suspect bragged about taking the data in an online chat room. Someone saw it and alerted Capital One, who looked into it and subsequently found it to be true. Supposedly, she used to work for the Cloud Services provider that Capital One used to store the data and knew how it was stored. She acquired the data via a flaw in a firewall, or perhaps a misconfiguration. Information about the details will no doubt continue to pour in over the coming weeks and perhaps months.

Capital One stated that 99% of those affected did not have SSNs stolen and spokespersons have said they don’t believe it has been used for fraud; though some of it was reportedly posted on the hosting service, GitHub.

Those who applied for credit with Capital One between 2005 and early 2019 should consider freezing credit. This means that no one, including you, will have access to credit information. And what does that mean? It means no one can be given credit in your name. It also means you won’t be able to apply for credit of any kind or even perhaps apply to rent housing without unfreezing it.

Fortunately, as of writing all three of the major credit bureaus (one of which will likely be used if anyone tries to apply for credit) have put the option to freeze credit on the front pages of their websites. TransUnion and Equifax have put a link right at the top. Experian has one toward the bottom, but it’s still on the front page. You also have to visit each one individually to freeze your credit. It’s easy to unfreeze it, even temporarily. More good news is that it’s free to either freeze or unfreeze it now.

Of course, with any breach of this magnitude, there is likely to be some phishing. So be cautious when clicking links or attachments in email that may refer to this. If you don’t know the sender, are not expecting an attachment or link, or have any suspicion at all that it might be phishing, don’t click it. As always, if you are ever encouraged in email to check or modify account details, go directly to your account profile to do this using a previously bookmarked and trusted link. Don’t click or reply to email messages.

Stickley on Security
Published July 31, 2019