100 million customers risk data breach with Capital One Bank

A growing cyber crime

Charlene Crowell Center for Responsible Lending | 8/22/2019, midnight
A second disclosure of a major consumer data breach was announced on..

A second disclosure of a major consumer data breach was announced on July 29 by Capital One Bank. That same day, the FBI arrested a suspect who was charged with stealing the personal information on March 22 and 23. The apparent focus of the financial theft was credit card applications filed with the bank between 2005-2019.

Those most vulnerable are two types of consumers: small businesses whose company credit card applications included personal Social Security numbers, and other customers who linked “secured” credit cards to other accounts.

For these two developments to occur on the same day, suggests a tacit agreement between one of the nation’s 10 largest banks and the country’s top law enforcement agency.

But why did it take 160 days for consumers to learn their personal data has been at risk for four months?

Ranked number 145 on the Fortune 500 company list, Capital One has 45 million customers in the states of Louisiana, Maryland, New Jersey, New York, Texas, Virginia, and the District of Columbia. In the second quarter of this year, the bank reported net income of $1.6 billion.

According to the bank, the data breach affects approximately 100 million consumers in this country and additionally 6 million Canadians. An estimated 140,000 Social Security numbers used for credit card applications and another 80,000 bank account numbers all place affected consumers in financial jeopardy.

“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right,” said Richard Fairbank, Capital One’s CEO. The bank has also pledged to provide affected customers with free credit monitoring and identity.

For consumer advocates, however, Capital One’s mea culpa was too little, and much too late.

“I wouldn't say that consumers can or should "breathe a sigh of relief," cautioned Aracely Panameño, of the Center for Responsible Lending’s Director of Latino Affairs. “The latest data breach speaks to the lax cybersecurity systems currently in place at major financial institutions and national credit reporting agencies (NCRAs).”

Equifax, one of three NCRAs, waited two months to disclose its cybersecurity breach that occurred in July but was kept from the public until September that year. During that delay, 147 million unsuspecting consumers—the equivalent of 58 percent of the US adult population—did not know that their personal data, including federal income tax records, as well as employee records for government employees and those of Fortune 500 firms, – was at risk. Nor did recipients of major government programs like Medicare, Medicaid, and Social Security learn that they, too, were affected.

In response to Equifax’s massive cybercrime, a surge of 50 federal class action lawsuits were filed in at least 14 states and the District of Columbia in September 2017, following the public disclosure.

“This settlement is a slap on the wrist of Equifax,” continued Panameño. “The restitution fund is up to $425M, which is equivalent to $2.89 per impacted consumer (147M); the initial restitution fund is only $300M. The average monthly cost for credit monitoring is $20. These 147 million American consumers will have to worry about identity theft and financial fraud in perpetuity. Yet under the settlement agreement, consumers must request benefits by Jan. 22, 2020.”