First the bad news. Capital One revealed yesterday in a statement that a hacker stole data for around 100 million people in the US and an additional 6 million in Canada that was held on Capital One’s cloud servers. This information mainly came from consumer and small-business applications for credit cards that were filled out between 2005 and early this year, the Virginia-based bank said. Among the stolen data were contact information, dates of birth, and income. Some Social Security numbers, linked bank account numbers for secured credit cards, and 1 million Social Insurance numbers for Canadian customers were also taken.
The company doesn’t think the information has been used for fraud or disseminated to other people yet, but says it is still investigating, and that the FBI has arrested the hacker responsible. In the meantime, the bank says it will contact people who have affected “through a variety of channels” and provide them with free credit monitoring and identity theft protection. (Capital One says it isn’t calling customers about the incident, and that anyone who calls asking for banking or personal information is a red flag.)
Data breaches like these are only going to continue, as Rahul Telang, professor of information systems at Carnegie Mellon University, told Quartz after the massive Equifax breach was disclosed in 2017. At this point, most peoples’ personal data is already out there, for sale on the dark web. For $40 to $200, a full package of an American’s personal data—from credit and criminal history to bank account numbers—can be purchased on the unindexed internet, according to Armor research.
The good news is that we can plan for what happens after our data is stolen.
As Nerd Wallet points out, people who think their data has been compromised can freeze their credit, which blocks lenders from accessing their credit files. Creditors typically check these histories before opening a new account, and will be unwilling one up with a block in place. It doesn’t cost anything, doesn’t impact credit scores, and your files can be temporarily unfrozen when you need it.
Consumers can also place a fraud alert on their files, which lasts a year, and warns creditors to verify the customer’s identity before issuing new credit.
Regardless of whether your name has shown up on a data-breach list, it can be worthwhile to monitor your credit score. US consumers are entitled every year to a free credit report from the three major credit bureaus.
Companies and government officials can do more, too. Credit freezes could be automatic, and simpler. Wherever possible, data could be aggregated to protect identities and private information. Encrypting and tokenizing stored data can help but, as the Capital One exploit shows, a knowledgable hacker may find a way around this defense. Fraud-protection services could be made available to victims as a default.
Some think a more muscular government approach is necessary. Large fines and penalties for data intrusions would give companies an incentive not to hold data unless they absolutely need it, and could inspire them to take better care of it when they decide to retain the information. This is already the case in the EU, where sweeping GDPR data protection rules require companies to get explicit permission from people in the bloc to use their information, and also gives regulators the authority to levy fines for failures.
“In the long run, we don’t want companies holding vast stores of credit card information which can be used for future fraud,” Shuman Ghosemajumder, CTO of Shape Security, told Quartz in December.