The latest big scale data breach involving Capital One credit card applicants is just the most recent in a string of financial institution breaches. But that doesn’t mean you should ignore it, nor should you panic. With a vigilant approach to your own online financial security, you can reduce any harm to your accounts today and in the future.
Capital One announced the bad news last week that 106 million people had been affected by the breach and a suspect had been arrested. Like with the Equifax breach response in 2017, Capital One said it will notify affected individuals via a variety of channels, and make free credit monitoring and identity protection available to everyone affected. Those messages are scheduled to be sent this week.
While the gap between Capital One knowing about the breach to the time of sending notifications to affected customers is relatively short, you’ve still lost about a month of time when you could check whether your data was included in the breach.
But you will never know the moment a breach is discovered because the victimized company needs time to investigate what information was stolen and from whom in conjunction with law enforcement. All 50 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted security breach notification laws that require businesses or governments to notify consumers or citizens if their personal information is breached, but the time requirement varies tremendously from 72 hours in California to a “reasonable” time in Utah. At this time, there is no federal data breach notification law or universal data privacy law such as the European Union’s General Data Protection Regulation (GDPR) enacted in 2018.
You will see a spike in the cry for federal regulation following this latest breach, but don’t look to the government to stop data breaches — that’s simply not possible in today’s digital world. Steve Soukup, Chief Revenue Officer for cybersecurity firm DefenseStorm told Forbes, “Ultimately, this isn’t about stopping breaches. It is about detecting, containing and recovering from them as fast as you can. It is about making informed decisions about acceptable risk. Regulations from Washington aren’t going to make that happen.”
Financial institutions and businesses are under great pressure to harden their defenses against cybercriminals. Some will do better than others, but it will never be enough in an escalating game of cat and mouse. So let’s face reality: it’s up to you.
Here are a number of steps you can take to protect your sensitive data, including your financial accounts, starting with minimizing the data you share with companies. Don’t apply for any unnecessary credit cards, reward cards or other similar programs. I am sure a week doesn’t go by without a credit card offer in my mailbox, and a majority of those are from Capital One. Such offers don’t even make it into the house, but are tossed right into the recyclables can.
Sign up for a credit monitoring service either through your bank or a third party service such as Credit Karma. Even with this safeguard in place, you’ll want to regularly monitor your online accounts for suspicious activity to cover any delay between activity and reporting.
Use unique passwords for all sensitive accounts, including social media. When login credentials are stolen from a seemingly harmless website, these credentials are often used to try and gain access to financial accounts.
Capital One issued consumer information about the breach last Friday, along with recommendations for its customers who may have been affected. The company said it is not calling, texting or emailing customers to ask for account information or Social Security numbers related to this cyber incident. If you receive such a message, know it is fraudulent. Cybercriminals often take advantage of a big breach to coax information out of possible victims.
If you responded to a phishing scam, call Capital One to let them know that your account information may have been compromised. Then sign in to Capital One Online Banking and change your password and security questions. Check your accounts for suspicious activity. Update and run antivirus software on your computer in case a link you may have clicked on infected your computer with malware.
You may also want to request a copy of your credit report from each of the three national credit reporting agencies: Equifax, Experian and TransUnion. You can make this request without charge once every 12 months. Review for any unauthorized activity and check to make sure all of your information is accurate. Identity thieves may change information for their benefit. If a change has been made, report it immediately to the credit bureaus. You can also call the toll-free fraud number of any one of the three nationwide credit bureaus and place an initial (90 days) or extended fraud alert (seven years) on your credit report.