August 7, 2019
What's the issue?
By now you know about The Capital One data breach as it has received significant media attention. The massive personal credit implications of this breach have, however, overshadowed several key issues that are important to small business professionals.
Businesses that applied for credit with Capital One between 2005 and early 2019 should be aware that the information supplied in the application may now be in the hands of cybercriminals and it could be used for business identity theft. Credit applications are particularly valuable to cybercriminals because, as they are intended to, they provide a complete basket of valuable credit and profile information. Threat actors use this unabbreviated information to more efficiently, and effectively, establish lines of credit in your or your company's name, create dummy accounts for money laundering purposes, or shape better Business Email Compromise (BEC) attacks against you.
A BEC attack is a type of fraud committed against you, your business, or those you do business with. By penetrating your email or computer, or from stolen information in breaches like the Capital One breach, the cybercriminals gather enough information to undertake any number of illegal acts to steal your money, or that of the people you do business with. By pretending to be you they redirect payments you are owed or fraudulently withdraw money from your accounts, for example. BEC is one of the costliest forms of cyber breach and is especially damaging to smaller businesses. According to the FBI's Internet Crime Complaint Center (IC3) BEC attacks comprise some 44% of all cyber crime financial losses, and in North America alone amounts to billions stolen every year.
The second aspect of this breach that should be of particular concern to business owners is the timeline over which the stolen information may be used by the criminals. While the value and efficacy of the information will fall with time, cybercriminals will wait months or even years before first attempting to use it. By this time, victims have dropped their guard, and indicators that something is happening or a theft is being staged, is missed.
On July 19th, Capital One became aware that an unauthorized outside individual had accessed their customer data. Capital One released the following details about the data breach: six million Canadian customers and 100 million U.S. customers are affected. One million Social Insurance Numbers, 140,000 Social Security Numbers, and 80,000 bank account numbers are among the most sensitive data compromised. As well, the hacker also had access to customers credit scores, credit limits, and balances. The other information compromised includes name, phone number, email address, date of birth, and income.
The collection of data was largely retrieved from consumer and small business applications for Capital One credit cards and credit products between 2005-2019. Capital One credit products include Costco Credit Card, Hudson's Bay Credit Card, SaksFirst Credit Card, and Credit Keeper, an app that gives Capital One customers access to their TransUnion credit score. Capital One has not confirmed if those customers are affected in this breach but says affected customer will be notified and offered free credit monitoring and identity theft insurance.
Capital One has mentioned that their Auto Finance, Commercial bank, and customers from the UK were not impacted. Also, no credit card account number or log-in credentials were compromised.
What should I do?
If you completed an application for credit with Capital One between 2005 and early 2019, whether it was successful or not, or if you have a Capital One Small Business credit card, you must be on guard. Change your passwords to all your accounts and do not use the same password on multiple accounts. Watch your accounts carefully and look for any indicators from credit institutions, banks, etc., noting any new or suspicious credit activity in your name or that of your business. Beware of more detailed and specific phishing emails. Watch for changes to payment patterns with your suppliers, or requests for you to change the accounts or way you do business with clients. When in doubt, call and speak to an individual; establish two-factor person-to-person authentication policies, have email source and address verification processes, and verify payment pattern changes requests with verifiable contacts.
Keep your computers and software secure and up to date as attacks can be preceded or augmented by a virus attack or theft of a device. Encrypt your files, preferably using file-by-file encryption, educate and train executives and staff on phishing attacks.
Follow the protocols that are advised by Capital One. On top of the credit monitoring and identity theft insurance Capital One is offering to those affected, they are encouraging customers to turn on text or email alerts for all account activities and be vigilant in monitoring credit card accounts for suspicious activities.
Unfortunately, Canadian credit monitoring agencies do not allow Canadians or Canadian businesses to put a credit freeze on their credit file, as is available in the U.S and other countries. As most credit issuers will check applicant credit with a credit monitoring agency before issuing credit, a credit freeze blocks this activity and credit would not typically be granted. Canadians can in some cases where warranted add a fraud alert to their credit file to warn credit grantors to contact them before approving credit, but it is up to a credit issuer to decide if they will take any action or contact you before issuing credit when they see an alert on your file.