A second major disclosure of major consumer data breach was announced on July 29 by Capital One Bank. That same day, the FBI arrested a suspect was charged with stealing the personal information on March 22 and 23. The apparent focus of the financial theft was credit card applications filed with the bank between 2005-2019.
Those most vulnerable are two types of consumers: small businesses whose company credit card applications included personal Social Security numbers, and other customers who linked ‘secured’ credit cards to other accounts
For these two developments to occur on the same day, suggests a tacit agreement between one of the nation’s 10 largest banks and the country’s top law enforcement agency.
But why did it take four months for consumers to learn their personal data has been at risk?
Ranked number 145 on the Fortune 500 company list, Capital One has 45 million customers in the states of Louisiana, Maryland, New Jersey, New York, Texas, Virginia and the District of Columbia. In the second quarter of this year, the bank reported net income of $1.6 billion.
According to the bank, the data breach affects approximately 100 million consumers in this country and additionally 6 million Canadians. An estimated 140,000 Social Security numbers used for credit card applications and another 80,000 bank account numbers all place affected consumers in financial jeopardy.
“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right,” said Richard Fairbank, Capital One’s CEO. The bank has also pledged to provide affected customers with free credit monitoring and identity.
For consumer advocates, however, Capital One’s mea culpa was too little, and much too late.
“I wouldn’t say that consumers can or should “breathe a sigh of relief,” cautioned Aracely Panameño, the Center for Responsible Lending’s Director of Latino Affairs. “The latest data breach speaks to the lax cybersecurity systems currently in place at major financial institutions and national credit reporting agencies (NCRAs).”
Equifax, one of three NCRAs, waited two months to disclose its cybersecurity breach that occurred in July but was kept from the public until September that year. During that delay, 147 million unsuspecting consumers – the equivalent of 58% of the US adult population — did not know that their personal data – including federal income tax records, as well as employee records for government employees and those of Fortune 500 firms – was at risk. Nor did recipients of major government programs like Medicare, Medicaid, and Social Security learn that they too were affected.
In response to Equifax’s massive cybercrime, a surge of 50 federal class action lawsuits were filed in at least 14 states and the District of Columbia in September 2017, following the public disclosure.
“This settlement is a slap on the wrist of Equifax,” Panameño said. “The restitution fund is up to $425M, which is equivalent to $2.89 per impacted consumer (147M); the initial restitution fund is only $300M. The average monthly cost for credit monitoring is $20. These 147 American consumers will have to worry about identity theft and financial fraud in perpetuity. Yet under the settlement agreement, consumers must request benefits by January 22, 2020.”
Similar reactions came from other consumer advocates.
“It’s disappointing but not unexpected that consumers face yet another breach of our sensitive financial information,” said Chi Chi Wu, staff attorney at the National Consumer Law Center (NCLC). “People should take the most effective measure to prevent identity theft involving new credit accounts by freezing their credit reports. It’s free as a result of a new law last year.”
According to NCLC, credit card customers are not liable for any unauthorized use of over $50. By contrast, consumers with bank accounts in most cases are not liable for unauthorized debit card or other electronic transactions so long as the fraudulent transaction are reported within 60 days of receiving their bank statement. Further, lost or stolen debit cards must be reported within two business day of learning of the loss or theft.
For Ed Mierzwinski, U.S. PIRG’s Federal Consumer Program senior director, answers to consumer questions were also a key concern.
“How did this happen?” Mierzwinski asked. “And how is Capital One going to prevent future breaches? We need answers to ensure that increasingly frequent, large breaches such as this, Equifax and others don’t become the new norm.”
Neither America, Canada the United Kingdom, or any other nation needs or wants yet another financial breach. Only time and additional investigations will reveal just how many more consumers may be affected by these or other delayed announcements.
“The hackers made out with all the data needed to wreak havoc in the lives of 147 million American consumers for the rest of their lives,” Panameño said. “They need remedies that are commensurate with that risk.”
Charlene Crowell is the Center for Responsible Lending’s Communications deputy director. She can be reached at firstname.lastname@example.org.