Current temperature in Boston - 62 °
Get access to a personalized news feed, our newsletter and exclusive discounts on everything from shows to local restaurants, All for free.
Already a member? Sign in.
The Bay State Banner
The Bay State Banner

Trending Articles

The Boston Police Department isn’t above the law

Coalition challenges Tubman House sale

A daughter’s right to choose


Consumers at risk from Capital One data breach

Largest bank breach affects 140,000 Social Security numbers, 80,000 bank accounts

Charlene Crowell

A disclosure about a major consumer data breach was announced on July 29 by Capital One Bank. That same day, the FBI arrested a suspect who was charged with stealing the personal information back on March 22 and 23. The apparent focus of the data theft was credit card applications filed with the bank between 2005 and 2019.

Those most vulnerable in the data breach are two types of consumers: small businesses whose company credit card applications included personal Social Security numbers, and other customers who linked ‘secured’ credit cards to other accounts.

These two developments occurring on the same day suggests a tacit agreement between one of the nation’s 10 largest banks and the country’s top law enforcement agency.

But why did it take four months for consumers to learn their personal data has been at risk for four months?

Ranked number 145 on the Fortune 500 company list, Capital One has 45 million customers in the states of Louisiana, Maryland, New Jersey, New York, Texas, Virginia, and the District of Columbia. In the second quarter of this year, the bank reported net income of $1.6 billion.

According to the bank, the data breach affects approximately 100 million consumers in this country and 6 million Canadians. An estimated 140,000 Social Security numbers used for credit card applications and another 80,000 bank account numbers place affected consumers in financial jeopardy.

“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right,” said Richard Fairbank, Capital One’s CEO.  The bank has also pledged to provide affected customers with free credit monitoring and identity.

For consumer advocates, however, Capital One’s mea culpa was too little, and much too late.

“I wouldn’t say that consumers can or should “breathe a sigh of relief,” cautioned Aracely Panameño, the Center for Responsible Lending’s Director of Latino Affairs. “The latest data breach speaks to the lax cybersecurity systems currently in place at major financial institutions and national credit reporting agencies (NCRAs).”

Equifax, one of three NCRAs, waited two months to disclose its cybersecurity breach that occurred in July 2017 but was kept from the public until September that year. During that delay, 147 million unsuspecting consumers —the equivalent of 58 percent of the U.S. adult population — did not know that their personal data, including federal income tax records as well as employee records for government employees and those of Fortune 500 firms, was at risk. Nor did recipients of major government programs like Medicare, Medicaid, and Social Security learn that they too were affected.

In response to Equifax’s massive cybercrime, 50 federal class action lawsuits were filed in at least 14 states and the District of Columbia in September 2017, following the public disclosure.

“This settlement is a slap on the wrist of Equifax,” continued Panameño. “The restitution fund is up to $425 million, which is equivalent to $2.89 per impacted consumer (147 million); the initial restitution fund is only $300 million. The average monthly cost for credit monitoring is $20. These 147 million American consumers will have to worry about identity theft and financial fraud in perpetuity.  Yet under the settlement agreement, consumers must request benefits by January 22, 2020.”

Similar reactions came from other consumer advocates.

“It’s disappointing but not unexpected that consumers face yet another breach of our sensitive financial information,” said Chi Chi Wu, staff attorney at the National Consumer Law Center (NCLC). “People should take the most effective measure to prevent identity theft involving new credit accounts by freezing their credit reports. It’s free as a result of a new law last year.”

According to NCLC, credit card customers are not liable for any unauthorized use of over $50. By contrast, consumers with bank accounts in most cases are not liable for unauthorized debit card or other electronic transactions so long as the fraudulent transactions are reported within 60 days of receiving their bank statement. Lost or stolen debit cards must be reported within two business day of learning of the loss or theft. 

For Ed Mierzwinski, U.S. PIRG’s Federal Consumer Program senior director, answers to consumer questions were also a key concern.

“How did this happen?” asked Mierzwinski. “And how is Capital One going to prevent future breaches? We need answers to ensure that increasingly frequent, large breaches such as this, Equifax and others don’t become the new norm.”

Neither the U.S., Canada, the United Kingdom or any other nation needs or wants yet another financial breach. Only time and additional investigations will reveal just how many more consumers may be affected by these or other delayed announcements.

“The hackers made out with all the data needed to wreak havoc in the lives of 147 million American consumers for the rest of their lives,” concluded Panameño about the Equifax breach. “They need remedies that are commensurate with that risk.”

Charlene Crowell is the Center for Responsible Lending’s communications deputy director.   

Already a member? Sign in.
The Bay State Banner