Data Safety After The Capital One Breach
When the data from 100 million customers was stolen from Capital One by a rogue software engineer, Americans realized they should protect themselves from cyber-attacks. The data breach was just one in a long history of people’s personal information getting extracted from sources once considered trustworthy.
Previously, the credit reporting agency Equifax was hacked in 2017, exposing the personal information of 147 million people. Another company, Experian, was hacked in 2013, allowing 30 million customers’ identities to be sold and thousands of fake tax returns filed with that stolen information, defrauding the individuals and the government out of $65 million. Both companies are accused of waiting too long to disclose the breaches, and an executive at one pleaded guilty to using insider information to benefit financially from the bad news that caused the company’s stock to plummet.
The Capital One information included customer’s credit applications from as far back as 2005, including a variety of account information, personal details, and social security numbers of Americans and Canadians. The hacker bragged about it in an online chat room, allowing another person to report it to the company.
The Federal Trade Commission received a 24 percent increase in reports of identity theft in 2018, a year when such hacks and criminal misuse of personal information cost consumers nearly $1.5 billion. Some of the security steps that could be taken include:
• developing a tough data protection law such as the GDPR in Europe, which would make it harder for thieves to match online data with stolen data, and would create more stringent requirements for companies to disclose hacks within a brief, specified time period;
• removing some of the onus for repair from consumers by making companies more responsible for their errors;
• making credit reports harder to acquire, rather than allowing any company weighing an application to access such sensitive personal information, and
• a federal-level data protection agency to safeguard not only consumer information but sensitive federal data, the sort of which was revealed in a breach of federal employee information several years ago (including fingerprints that could be used to access some protected installations).
How Can You Protect Yourself From a Data Breach?
Hacked information doesn’t always lead directly to drained bank accounts or unauthorized credit card charges. It can bubble up years later in unusual ways, including someone using your credit to get a loan or to open a new credit card account, or people filing fake tax returns in your name.
One of the most effective ways to block cyber-attacks and identity theft is to put a freeze on your credit reports. This blocks most applications for credit, preventing thieves from taking out loans in your name. It does not stop those who already have your personal information from other attempts to steal money, including filing fake tax returns or accessing your current bank accounts or credit cards.
Because much of the data stolen from Capital One and in other breaches was incomplete and didn’t allow direct access to accounts, consumers should be particularly concerned about phishing scams. This sort of directed fraud is harder to resist when the perpetrators have a significant amount of personal information that convinces the consumer that their inquiry is real. Ways to spot a phishing scam include:
• an email from your bank, credit card company, a business, or someone claiming to be from the IRS or government agency that you have not requested;
• the email says you need to provide a specific piece of information or to “update your account”;
• the email seeks to confirm some personal or access information, such as PIN number, birth date, or social security number;
• the sender’s email address is slightly different from other official websites, such as a bank name with a .info or .us address rather than .com, or
• it asks you to click on a link provided (which could release a trojan virus on your computer).
If you suspect that there’s some validity to the email, contact the company through another method rather than clicking on the link provided. Never send a PIN number, social security number, or other personal information in response to this sort of request. If it’s a credit card company, call the number on the back of your card. Your bank statements will provide ways of contacting that lender’s customer service if something needs to be rectified. And the U.S. government, including Social Security Administration, IRS, Medicare, and Medicaid, do not make phone calls demanding immediate payment of any amount through wire transfers or gift cards.