Data Breaches: Why It’s Important To Read The Fine Print

U.S. banking company Capital One has started the notification process for its most recent data breach — affecting approximately 100 million people in the U.S. and an additional six million in Canada (for now). While you might feel protected in Australia, data breaches happen surprisingly often, and they’re can impact anyone. That’s why it’s important to read the fine print.

I felt like I was on a financial roller coaster when I read Capital One’s press release and saw alternating lines like these:

“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.” 

“Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.”

“Importantly, no credit card account numbers or log-in credentials were compromised and over 99 per cent of Social Security numbers were not compromised.

“No bank account numbers or Social Security numbers were compromised, other than:

• About 140,000 Social Security numbers of our credit card customers

• About 80,000 linked bank account numbers of our secured credit card customers”

Rightly so, Capital one is being ridiculed online for this almost nonchalant way of saying that hundreds of thousands of customers are seriously affected by this breach.

Incredible. Capital One’s data breach site is titled “Facts.”

And yet it also pulls this bullshit by saying that no Social Security numbers were breached… except for all the Social Security numbers that were breached.

Fuck you, Capital One. pic.twitter.com/PBod3z9QtC

— Zack Whittaker (@zackwhittaker) July 30, 2019

this line from the Capital One press release on their massive data breach is pretty unreal. Nothing compromised! Except, you know, all the stuff that was compromised. pic.twitter.com/hBAiHEShlJ

— Charlie Warzel (@cwarzel) July 30, 2019

Feels like @CapitalOne wrote this sentence hoping people wouldn’t read the whole thing. #CapitalOneBreach pic.twitter.com/8P9Vkbcy0o

— Vince DeFruscio (@VinceDeFruscio) July 30, 2019

What do you take away from something like this? First, always read the fine print. It’s in a company’s best interests to downplay these kinds of breaches as much as possible, because it’s going to cost them money and make them look foolish, at best, and not very secure.

What sounds fine if you just read the first paragraph or so, or even skim through the announcement, actually doesn’t end up being all that fine. At least, I don’t think coughing up 140,000 social security numbers and 80,000 bank account numbers is a good thing, and I’m sure those affected will agree with me.

Second, be sceptical. Capital One says that around 106 million people were “affected,” but buries the type of information that was potentially accessed later in its press release — a chunk of text you might not notice if you were just skimming.

“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

• Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information

• Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018″

That doesn’t sound too bad, right? There’s not much you can do if your email address or birthday is out in the wild, and it’s more annoying than problematic if your credit score or payment history got leaked. Still, an attacker could theoretically use this information standalone — or cross-referenced against other information they might have from one of the many other security breaches your data is likely a part of — to create a fictitious profile of you and apply for other financial services using your information, which could pose problematic.

Also, it’s worth keeping in mind that we’re just at the very initial stages of learning about this breach. Tempted as you might be to ignore Capital One’s problem, since it didn’t sound that serious for most people, and it probably didn’t impact you, you should keep it in the back of your mind for the next few months.

Remember Techdirt’s rule of breaches: they always turn out to be worse and more encompassing than first reported. https://t.co/F08BmTXt7x

— Mike Masnick (@mmasnick) July 30, 2019

Third, you’ll also want to make sure you’re staying safe about any follow-ups to potential large-scale hacks. If someone calls you on the phone asking you to “verify” account information because they’re from the breached company and they need to make sure you’re safe, or some line like that, tell them off. Those companies will not contact you like that.

Similarly, if you get a suspicious-sounding email allegedly from a representative, asking you to provide them information that they should theoretically already have, resist the urge. In fact, you could even call up the company yourself to verify if the request is legitimate before you click on any links or send any replies. The last thing you want to do is to survive the breach unscathed, but cough up critical information to a phishing attempt.

Finally, stay vigilant. I realise that responding to these kinds of things can be exasperating, especially if you’re mad enough that you’re going to transfer your money to a new bank. Even if you’re going through the standard process of changing your passwords when confronted with a breach at a company you use, I sympathise.

Having to do all this gets annoying, but you can’t let your guard down. Keep on enabling two-factor authentication. Keep on checking your account for instances of misuse, either financially or log-ins that weren’t you. Set up a Google alert so you don’t miss any critical follow-ups about the breach. Breathe. You’ve got this.