Captial One Announces Data Breach: SSNs and Bank Account Numbers Hacked

Estimated Reading Time: 5 Minutes

A typical Monday evening became a little more sinister as news broke that Capital One experienced a data breach – and one that could have far-reaching impact for its cardholders. The Virginia-headquartered company says that they became aware of unauthorized access by an outside individual on July 19, 2019. The hacker was able to obtain sensitive customer information, including Social Security numbers and linked bank account numbers for a small fraction of current Capital One cardholders.

Capital One says the configuration vulnerability that the perpetrator exploited was immediately fixed, and the FBI has already arrested the person responsible. Importantly, outlets have reported that it’s unlikely that the information was used for fraud or made available on the black market or elsewhere.

To date, investigations show that data security incident affected approximately 100 million individuals in the United States and approximately 6 million in Canada. The largest category of information compromised was information on consumers and small businesses at the time they applied for one of Capital One’s credit card products from 2005 through early 2019. This is your routine credit card application form information: names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.

Outside of the credit card application data, the perpetrator also obtained portions of credit card customer data, including: customer status data (i.e., credit scores, credit limits, balances, payment history, and contact information) and fragments of transaction data from a total of 23 days during 2016, 2017 and 2018. Lastly, about 140,000 Social Security numbers of U. S. credit card customers, 80,000 linked bank account numbers of secured credit card customers, and 1 million Social Insurance Numbers of Canadian credit card holders was hacked. Capital One says they will notify affected customers through a variety of channels.

In the age of IoT, we are increasingly seeing breaches that affect consumers across geographical boundaries. While this Capital One breach is just one example, we know we’ll continue to see more like it. That said, it’ll be imperative moving forward that there are companies that can offer their global customer base an identity protection solution that meets the particular identity threats present in their country while dually responding to global security incidents that affect consumers across the globe. Here at Generali Global Assistance (GGA), we are working hard to make that a reality; to date, we offer identity protection services in the U.S., Canada, France, and Italy, and are in the process of launching across Europe and in India. These are unique products that meet each specific market’s identity protection needs, and, most importantly, they’re proactively addressing the rising issues present in each country.

Safeguards and Proactive Monitoring are Key

Though Capital One says they will be offering free credit monitoring and identity protection of some form to those affected, it’s clear that today’s consumers are no longer protecting themselves from singular incidents. These post-breach protection offerings are often provided for a specific amount of time, and before they expire, another breach will likely be making headlines. This is why it’s more important than ever for consumers to proactively protect themselves with a comprehensive identity protection program that they can trust.

If your customers or employees aren’t part of this data breach, we know that the future holds many breaches yet to come, so the time to act is now. Share the following data breach safety measures with your customers and employees to help reduce their risk:

  • Make monitoring activity on your financial and credit card accounts part of your routine.
  • Set up two-factor authentication where available for extra security.
  • Rethink the information you’re sharing online (specifically social media). With so much information leaked in breaches, hackers are able to piece together compromised information with the information you publicly share to create a holistic picture of your identity.
  • Always use strong and unique passwords, and don’t reuse passwords across multiple platforms (this allows hackers to access multiple accounts when just one is breached).
  • Be on the lookout for any phishing emails. In the aftermath of any data breach, it’s common for those affected to receive an influx of phishing emails supposedly from the organization breached or other trusted service providers. Phishing emails are a common way fraudsters can get even more personal data from you.
  • Sign up for an identity protection service that includes credit and identity monitoring if you haven’t already. Just be aware that not all monitoring services will protect you equally, so make sure you find a service with powerful monitoring capabilities and 24/7 full-service resolution assistance, should you ever find yourself the victim of fraud.
  • When assessing identity protection programs, make sure you choose one that also includes high risk transaction alerts. GGA monitors tens of millions of high risk transactions with more than 300 of the nation’s largest companies to uncover and thwart account takeover attempts. This, in particular, will be key in the aftermath of this breach.
  • Comprehensive identity monitoring services should utilize automated monitoring and human threat intelligence for its internet (surface, deep and dark web) surveillance and compromised credential monitoring. The monitoring should also include alerts so that if your information is detected, you can quickly assess and work with resolution experts to minimize any impact.

Some recommended information to monitor includes:

  • Login credentials for online accounts
  • Social Security number / Social Insurance Number
  • Email addresses
  • Date of birth
  • Debit/credit card numbers
  • Bank account numbers
  • Insurance card/policy number
  • Drivers’ license number
  • Loyalty card numbers
  • Affinity card numbers
  • Passport number

As more details and developments are released, we will be updating our Twitter account with more information; please follow @GeneraliGA_NA as the story unfolds.