Capital One Data Breach

Capital One Data Breach: What You Need to Know

More than 100 Million Americans Exposed. What Comes Next?

On July 29, Capital One announced they were the latest major financial brand to experience a security breach. The attack exposed the data of more than 100 million people. Are you among them, and if so, what should you do now?

What Happened?

First, let’s explore the details of the attack, including how it happened and what it could mean going forward.

The attack was carried out by a disgruntled former Amazon Web Services engineer who’d performed contract work with the bank. The attacker, a US woman named Paige Thompson, used her knowledge of the company to access Capital One’s internal network. By exploiting a minor misconfiguration in the bank’s firewall, Thompson manage to breach the system and steal a massive cache of raw data from the bank’s servers.

The hack exposed the information of about 100 million Americans, plus 6 million people in Canada. Not all individuals had the same data exposed. However, the data Thompson managed to steal included roughly 140,000 Americans’ Social Security numbers, 80,000 bank account numbers, and 1 million Canadian social insurance numbers. In addition, other information exposed in the attack includes:

  • Full Name
  • Street Address
  • Zip/Postal Code
  • Phone Number
  • Email Address
  • Date of Birth
  • Self-Reported Income
  • Credit Scores
  • Account Balances

While the attack was identified quickly—mostly due to one user alerting the authorities after Thompson bragged about the incident online—the damage is already done. Some of this information may leak onto the web…and into fraudsters’ hands.

Possible Consequences of the Capital One Hack

There are two primary threats facing consumers in the wake of this attack. First is account takeover fraud, or ATO, which involves hackers taking over a legitimate user’s account to make fraudulent transactions. The second is synthetic fraud, which involves using stolen consumer information, often of multiple consumers, to “create” a new user from scratch.

Both of the above are forms of identity fraud, but the difference is in the tactics employed. With ATO, a fraudster often uses partial data to try and hack an individual’s account. Thus, if you’re hit by an ATO attack, you should see that reflected right away in your bank statement. With synthetic fraud, though, the criminal uses partial data to attack the user indirectly. You may not see evidence of synthetic fraud until months, or even years, after an attack.

So, what can you do about it? If you suspect you’ve been the victim of the Capital One hack, here are a few tips that can help you protect yourself:

  1. Create a Fraud Alert: You can initiate a fraud alert, which will warn three major credit bureaus (Equifax, Experian, and TransUnion) that your information might have been compromised. This will notify any lenders to contact you before allowing any new credit lines in your name.
  2. Freeze Your Credit: You can add an additional precaution by freezing your credit. When a freeze is in place, no new lines of credit will be allowed in your name. This can only be undone by calling to authorize the bureaus to unfreeze your credit.
  3. Monitor Your Credit: As a consumer, you’re entitled to three free credit reports every year (one from each bureau). Space these reports throughout the year, and watch for any sudden changes, unfamiliar lines of credit, or other suspicious activity.
  4. Monitor Your Accounts: Keep close tabs on your billing statement, and watch for any suspicious activity. Most banks offer alerts that will trigger if they detect suspicious activity.

Have you noticed a suspicious transaction on your statement? Suspect you might have been the victim of account takeover or some other fraud activity? Contact eConsumer Services. We work with merchants and banks to resolve disputes and get your money back fast.