Data Breaches: Why It’s Important To Read The Fine Print

Data Breaches: Why It’s Important To Read The Fine Print
Image: Getty Images

U.S. banking company Capital One has started the notification process for its most recent data breach — affecting approximately 100 million people in the U.S. and an additional six million in Canada (for now). While you might feel protected in Australia, data breaches happen surprisingly often, and they’re can impact anyone. That’s why it’s important to read the fine print.

I felt like I was on a financial roller coaster when I read Capital One’s press release and saw alternating lines like these:

“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.” 

“Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.”

“Importantly, no credit card account numbers or log-in credentials were compromised and over 99 per cent of Social Security numbers were not compromised.

“No bank account numbers or Social Security numbers were compromised, other than:

  • About 140,000 Social Security numbers of our credit card customers

  • About 80,000 linked bank account numbers of our secured credit card customers”

Rightly so, Capital one is being ridiculed online for this almost nonchalant way of saying that hundreds of thousands of customers are seriously affected by this breach.

What do you take away from something like this? First, always read the fine print. It’s in a company’s best interests to downplay these kinds of breaches as much as possible, because it’s going to cost them money and make them look foolish, at best, and not very secure.

What sounds fine if you just read the first paragraph or so, or even skim through the announcement, actually doesn’t end up being all that fine. At least, I don’t think coughing up 140,000 social security numbers and 80,000 bank account numbers is a good thing, and I’m sure those affected will agree with me.

Second, be sceptical. Capital One says that around 106 million people were “affected,” but buries the type of information that was potentially accessed later in its press release — a chunk of text you might not notice if you were just skimming.

“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information

  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018″

That doesn’t sound too bad, right? There’s not much you can do if your email address or birthday is out in the wild, and it’s more annoying than problematic if your credit score or payment history got leaked. Still, an attacker could theoretically use this information standalone — or cross-referenced against other information they might have from one of the many other security breaches your data is likely a part of — to create a fictitious profile of you and apply for other financial services using your information, which could pose problematic.

Also, it’s worth keeping in mind that we’re just at the very initial stages of learning about this breach. Tempted as you might be to ignore Capital One’s problem, since it didn’t sound that serious for most people, and it probably didn’t impact you, you should keep it in the back of your mind for the next few months.

Third, you’ll also want to make sure you’re staying safe about any follow-ups to potential large-scale hacks. If someone calls you on the phone asking you to “verify” account information because they’re from the breached company and they need to make sure you’re safe, or some line like that, tell them off. Those companies will not contact you like that.

Similarly, if you get a suspicious-sounding email allegedly from a representative, asking you to provide them information that they should theoretically already have, resist the urge. In fact, you could even call up the company yourself to verify if the request is legitimate before you click on any links or send any replies. The last thing you want to do is to survive the breach unscathed, but cough up critical information to a phishing attempt.

Finally, stay vigilant. I realise that responding to these kinds of things can be exasperating, especially if you’re mad enough that you’re going to transfer your money to a new bank. Even if you’re going through the standard process of changing your passwords when confronted with a breach at a company you use, I sympathise.

Having to do all this gets annoying, but you can’t let your guard down. Keep on enabling two-factor authentication. Keep on checking your account for instances of misuse, either financially or log-ins that weren’t you. Set up a Google alert so you don’t miss any critical follow-ups about the breach. Breathe. You’ve got this.


  • It’s true that this breach may not have been relayed well to the public, but that’s not a reason to go nuts. As a cyber security professional, I can tell you that identifying a breach is hard, and identifying and understanding the consequences is even harder. People think that a hacker breaks in today, steals info and disseminates it tomorrow. The reality is, in Australia, most companies take more than 200 days to discover they’ve been breached. And across the world, some hackers can have access to a system for years before they actually do any damage.
    And that’s not because companies have poor defences. Imagine someone breaks into your home and steals your vacuum cleaner. For some people, it could take a week – or even longer – to realise that it’s missing. Data is similar. It’s often buried deep in the system, where it’s not physically looked at every day, and hackers are getting more sophisticated every day.
    The other reality is that the public assume that ANY breach is a bad thing. To be honest, that’s half true, but breaches happen all the time. You can’t stop them. The best you can do is identify them and react accordingly. Companies try to down-play a breach because the media have taught our society to basically freak out whenever they hear that someone was breached.

Log in to comment on this story!