When Capital One announced Monday that more than 100 million credit card customers and applicants had their personal data hacked, it raised the question for worried consumers: Who’s in your wallet?
The short answer is Paige A. Thompson, 33, a former Seattle tech worker also known by the online handle “erratic,” who, according to federal prosecutors, allegedly hacked into Capital One computers, stealing a wealth of customer data including credit scores, balances and payment history, along with 140,000 Social Security numbers and 80,000 linked bank accounts.
The hacked information was primarily accessed from consumer and small business credit card applications between 2005 and 2019, the company said.
What is Capital One doing for consumers?
Capital One is notifying affected credit card customers and applicants and offering free credit monitoring and identity protection services to those consumers.
Capital One said in a news release Monday it “immediately fixed the configuration vulnerability” and believes it “unlikely” the information was used for fraud or disseminated. CEO Richard Fairbank apologized for the “understandable worry” the incident caused customers.
What steps should consumers take?
Experts said free credit monitoring may not be enough to protect personal information from falling into the wrong hands. Immediately freezing your credit may be a better option for all consumers.
“Credit monitoring is just going to let you know after the fact that something bad happen,” said Ted Rossman, an industry analyst with CreditCards.com. “A credit freeze is much better because it locks down your credit report and it prevents anybody from opening new credit in your name.”
Consumers can freeze their credit for free by contacting the big three credit bureaus —Equifax, Experian and TransUnion.
In addition, Rossman recommends changing your passwords regularly. He said 8 in 10 Americans reuse their passwords, making them more vulnerable to hackers. Using a password aggregator can help vary individual passwords for each online account, while the consumer only needs to remember one.
Steve Bernas, president and CEO of the Better Business Bureau of Chicago and Northern Illinois, recommended getting a credit report from the credit agencies (you get one free a year from each company) through annualcreditreport.com as well as looking through credit card transactions to see if anything is amiss.
He also said anyone whose Social Security was accessed in a data breach should file their taxes early —before a scammer can. Other steps include canceling your credit card and getting a new one, and making sure to update any automatic payments with the new number.
Likewise, Bernas said if hackers have information about your bank account, close it and open up a new one.
How did this happen
The data breach was discovered July 19, with computer system intrusions dating back to March, according to the company. Thompson was arrested Monday and charged with computer fraud, according to the federal indictment, which alleges she gained access to the data through an improperly configured web application firewall.
When was the last big hack
Capital One, whose ubiquitous TV commercials feature celebrity spokespeople such as actress Jennifer Garner, is just the latest major financial institution to suffer a data breach. In 2017, credit card reporting company Equifax was hacked, exposing the Social Security numbers and other personal information of roughly half of the U.S. population
Last week, Equifax agreed to pay at least $700 million to settle lawsuits over the breach in a settlement with federal authorities and states, including up to $425 million in monetary relief to consumers.
McLean, Va.-based Capital One, the nation’s seventh-largest commercial bank, said it expects to spend between $100 million and $150 million remediating the data breach, largely driven by customer notifications, credit monitoring, technology costs and legal support.