When news emerged on Monday evening that Capital One, one of the biggest issuers of credit cards in the world, had been breached in a major data hack where the personal information of more than 100 million people was stolen, reaction from consumers was swift and almost unanimous: another one?
That’s because the hack — in which a former Amazon Web Services employee broke into Capital One’s servers and stole information on up 106 million people, including 140,000 Social Security numbers in the U.S., and 1 million Social Insurance Numbers in Canada — is just the latest in a long run of hacks, each seemingly bigger than the last.
U.S. retailer Target was among the first to be hit in a major way, as the chain revealed in 2013 that credit card data for 70 million of its customers was stolen. Next was do-it-yourself hardware chain Home Depot the following year, where 57 million people were affected.
Hotel chain Marriott was next in the hit parade, in a multi-year breach that dated back to 2014 when hackers exploited a flaw in their cybersecurity to steal credit card details and other data on half a billion customers.
But the biggest one to date was Yahoo’s. The online company admitted in 2017 that an astonishing three billion people had their Yahoo emails breached by online fraudsters.
That same year, credit monitoring firm Equifax revealed that it had been hit, as 143 million people had their information stolen.
For many people, the Equifax breach was emblematic of just how widespread the problem of data theft is, because the information was stolen from a credit reporting agency that also offers credit-monitoring services itself.
This week’s Capital One hack is just yet another reminder of what cybersecurity experts have known for a while: you’ve probably already had your information stolen, and the only question is whether you know it.
“Assume your data is out there because in all likelihood it is,” is how cybersecurity journalist Brian Krebs puts it.
In and of themselves, none of the major breaches may have been enough for a fraudster to “steal” someone’s entire identity, nor do they mean that the hundreds of millions of victims can expect to have major headaches to worry about for the rest of their lives.
But each new breach just increases the likelihood of that happening, Krebs says. “It adds to the pile of information that is available for the bad guys to do bad things with.”
When asked what percentage of the general population has had their data stolen in one form or another, his reply is blunt: “100 per cent,” he says.
Daniel Tobok, the chief executive officer of cybersecurity firm Cytelligence, agrees with that estimate. Capital One’s breach this week means roughly one out of every six people in Canada was caught up in the hack. Taken with previous ones, the simple math quickly adds up to the ugly truth that just about everyone has already been impacted, whether they know it or not.
“Almost any Canadian over the age of 18 has had their information compromised by this time,” he said.
That may sound bleak, but he says consumers are far from helpless in the scenario. He offers the same advice that we often hear in these situations: keep an eye on your accounts, take note of any strange new activity, contact the companies involved and trust your common sense. “Check your statements on monthly basis, and just be on alert,” he said.
While stolen information can hang around on the dark corners of the internet for years, available to the highest bidder, Tobok says the most likely time that a fraudster is likely to use the ill-gotten information is within a few days of receiving it.
So be vigilant and “don’t fall for any of those pranks,” such as phone calls purporting to be from Capital One, looking for more financial information.
Indeed, Capital One made it explicitly clear that they will not call anyone who’s data was stolen in this breach. “So don’t fall for any of those scams,” Tobok says.
Experts often advise that consumers sign up for a credit monitoring service such as Equifax or TransUnion to alert them of any suspicious activity on their file. But even ignoring the fact that Equifax itself was hacked, Krebs says those services are far from fool-proof at the best of times.
“They might tell you when somebody takes out a new line of credit in your name and runs up a bunch of bills,” he said, “but they don’t stop it.”
Lucia Lau, a Torontonian who has a Capital One card, told CBC she was worried when she heard news of the breach on Monday. “It’s scary … I want to cancel my card,” she said. And like many, she’s not satisfied with the company’s response so far. “I think they have to do lots of prevention work, not wait until something happens,” she said.
Consumers like Lau might hope that the powers that be are working feverishly behind the scenes on their behalf, but the reality is that for most people, their fate is largely out of their hands. With that being the case, is there anything Canadians can do to protect themselves?
“There isn’t,” Tobok says. “We don’t have a lot of control of our data [so] the responsibility falls out of our hands because we have no control over it.”