In July of 2019, Capital One Financial Corporation disclosed that it suffered a data breach in which an alleged hacker illegally accessed the personally identifiable information (PII) of over 100 million individuals in the United States, and another 6 million in Canada1.
The accused attacker was arrested on charges in connection with the crime by federal agents. The alleged hacker is being charged with one count of computer fraud and abuse for accessing customer data that the bank had stored in the cloud, via Amazon Web Services (AWS), and was reported to have boasted of the breach online, which led to a rapid apprehension2.
The hacked data includes names, addresses, phone numbers, credit scores, and credit limits of customers who applied for credit card products from 2005 through early 2019. Fortunately, of the 100 million breached records only around 140,000 U.S. Social Security numbers (SSNs), 80,000 linked bank account numbers for secured credit card customers, and 1 million Canadian Social Insurance numbers were compromised. The hacker, a former AWS employee, was able to gain access to the data through exploiting a misconfigured web application firewall. Capital One has indicated that the configuration has since been fixed. They have apologized for the breach and expressed their commitment to make things right. To learn more about this incident and the response of Capital One, visit capitalone.com/digital/facts20193.
How will you know if you were impacted?
If you are a Capital One member, you should immediately update your login information, including your username and password. If you use the same credentials on other sites, be sure to change those as well. At a minimum, passwords should be 12 characters long, using at least one uppercase letter, one lower case letter, one number, and one special character (a symbol).
In addition, it is important to watch out for phishing attacks. A phishing attack is defined as "an attempt to gain sensitive, confidential information such as usernames, passwords, credit card information, network credentials, and more". By posing as a legitimate individual or institution via phone or email, these cyber-attacks use social engineering to manipulate individuals into performing specific actions - like clicking on a malicious link or attachment - or willfully divulging confidential information4.
Thieves often use news of a breach to generate new attacks, posing as the affected company to trick consumers into giving personal information. If you get a suspicious email, be sure to look for the following red flags:
- Questionable details in the domain name. For example, is the email coming from capitalone.com or a suspicious looking domain, such as capitalone.com.cgi?
- Hover over any URLs or buttons before clicking on them. Before clicking on any link or button in an email, be sure to hover over it to see the actual destination URL. Does the URL match the domain, in this case capitalone.com, or is it taking you to an unfamiliar URL web page?
- Don't download images unless you are 100% sure that the email is legitimate. Unless you are confident that you know the sender and you are expecting an attachment, do not click to download any images or files. The attachment could contain malicious code that could enable the attacker to gain access to your system and expose your personal information and other confidential data.
At the moment, Capital One doesn't have a website that allows you to confirm if you were part of the breach, but they did announce a plan to "notify affected individuals through a variety of channels". Capital One has also promised to make free credit monitoring and identity protection available to everyone affected by the breach. If your data was exposed, you will be notified through a variety of channels and will most likely receive a letter or email from the company5.
Whether your information is at risk or not, Portfolio Solutions® recommends you do the following to protect your accounts, credit, and identity:
- Closely monitor financial accounts. Review your credit card, bank, and other financial statements every month for any unauthorized or suspicious activity.
- Check your credit report. All Americans get one free credit report per year from all three major reporting agencies. Closely analyzing these reports can help you spot any suspicious activity.
- Subscribe to identity protection services. These services protect identity-based information like your SSN if breached, offer credit monitoring and provide alerts should suspicious activities occur.
- Initiate a credit freeze. A credit freeze restricts access to your credit report and blocks others from applying for unauthorized credit in your name. When you need to allow access to your report, you can "thaw" the freeze temporarily. Read more at the Federal Trade Commission's site on credit freezes here6.
Please note there is a cost associated each time you freeze and thaw your credit accounts.
Credit fraud continues to increase exponentially, so taking steps to protect yourself is a critical component of any cybersecurity protection plan. Be sure to watch for future weekly emails from Portfolio Solutions®, which will include tips to stay cybersecure!
If you have any questions or concerns about the Capital One data breach, identity theft, credit fraud, or cybersecurity in general please contact Portfolio Solutions® today by calling (248) 689-1550. Not a current client, but ready to get started? Click here to schedule a phone consultation to learn more about Portfolio Solutions® and how we can serve you!
All information presented is compiled from sources believed to be reliable and current, but accuracy cannot be guaranteed. This information is distributed for education purposes, and it is not to be construed as an offer, solicitation, recommendation, or endorsement of any particular security, product, or service. Please click here to see our blog disclosure, which immediately follows the "Applicable Law and Venue" section.