BUSINESS
08/01/2019 16:11 EDT | Updated 08/02/2019 08:42 EDT

How To Protect Your Privacy In The Wake Of The Capital One Data Breach

Companies aren't taking security seriously, a privacy expert warns.

If you’re a victim of the Capital One data breach, you may be asking yourself what you can do about it now.  

“Unfortunately, as a consumer, in this instance, there’s nothing you can do,” former Ontario privacy commissioner Ann Cavoukian told HuffPost Canada.

However, there are steps you can take to make sure businesses know they have to take your privacy seriously, or risk losing you as a customer.

On Monday, the Virginia-based financial institution revealed approximately 100 million people in the U.S., and around six million people in Canada, were compromised by a “security incident.”

The company said in a statement a hacker gained unauthorized access to personal information, potentially affecting anyone who has a Capital One credit card, or has applied for one in the past. 

While Capital One claimed it “fixed the configuration vulnerability that this individual exploited,” it did not do so before a million Canadian Social Insurance Numbers were compromised.

“It just points to how ridiculous and weak security is on so many companies,” Cavoukian said. “They’re not taking it seriously.”

Richard Drew/The Associated Press via The Canadian Press
A monitor displaying Capital One's logo appears on the floor of the New York Stock Exchange on July 30, 2019.

Capital One said credit card numbers and log-in credentials were not exposed. However, the company added many forms of personal information were accessed, including names, addresses, zip and postal codes, phone numbers, email addresses, dates of birth and self-reported incomes. Other details such as credit scores, credit limits, balances, payment history and contact information were also obtained.

While Capital One noted it’s unlikely the information was used for fraud, Cavoukian expressed alarm over the sheer size and scope of the hack.

“It’s so outrageous,” she said. 

The alleged hacker was Paige Thompson, a 33-year-old former Amazon software engineer. The Associated Press reported she joined Amazon in 2015 to work at Amazon Web Services, a division that hosted the Capital One data she allegedly accessed illegally beginning in March. 

Cavoukian, executive director of Global Privacy and Security By Design, told HuffPost Canada she didn’t believe this was a sophisticated breach. 

“She could access this because it wasn’t strongly protected,” the privacy expert said. “Rest assured, you’ll be seeing class-action lawsuits emanating from this.”

Be very careful to review your credit card statements and any expenses that are attributed to you.Dr. Ann Cavoukian, privacy expert

Another troubling aspect of this breach is how far back it goes. Data from 2005 to 2019 was exposed, which means you could be affected even if you haven’t dealt with Capital One in over a decade. 

“They’re not very good at following through on deleting data they no longer require,” Cavoukian explained. “And it’s foolish because it’s a magnet. When you have information you no longer need and you still keep it, and it’s probably not encrypted, then it acts as a magnet for the hackers.”

The first step for affected customers is to take the identity protection and credit monitoring services being offered free of charge by Capital One. If the company doesn’t reach out, it might be best to contact them directly.

Cavoukian also recommended being extremely vigilant when looking over your monthly bills.

“Be very careful to review your credit card statements and any expenses that are attributed to you. Make sure they’re real, make sure they originated with you, and if not, contact Capital One right away.”

Perhaps most importantly, companies need to understand that customers are paying attention by asking questions such as: What level of protection do you offer in terms of privacy and security?

“I find that just asking the question, it raises the awareness on the part of the organization you’re dealing with, and they start looking at it more carefully,” she said. “Just put them on alert.”

After all, this isn’t the first time a major institution was compromised. Desjardins reported a data breach in June that affected 2.7 million Canadians and 173,000 businesses. In 2017, the personal information of 147 million people was stolen in the Equifax data breach.

And while it may seem like privacy is eroding in the digital age, Cavoukian stressed it’s definitely something consumers should be demanding.

“Privacy’s worth the foundation of our freedom,” she said.

“You cannot have free and open societies without a strong foundation of privacy and security. And in this day and age of daily security hacks and data breaches, we have to get companies and organizations to take this much more seriously.”