The dark web is a said to be a marketplace worth hundreds of billions of dollars. And now, if you applied for a Capital One credit card and were one of the 100 million people whose account information may have just been hacked, your personal information could be on the dark web and selling for less than the price of your monthly car payment.
Here’s what we know so far, and here’s how to protect your data after this breach—and the next one.
What Is the Capital One Hack?
The Capital One hack was allegedly perpetrated by Paige Thompson, a 33-year-old Seattle resident. She’s being charged with “computer fraud and abuse,” and will have a hearing on August 1. The facts, according to the bank:
- Thompson gained access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 bank account numbers.
- She also had access to an undisclosed number of people’s names, addresses, credit scores, credit limits, balances, and other information.
- Thompson tapped into fragments of transaction data from a total of 23 days from 2016-18.
- The attacks may have included customers who applied for these cards as early as 2005.
The vulnerability to the system that allowed for the hack to occur was made public back in April, but it wasn’t until July, after being alerted by an outside researcher, that Capital One noticed and began to respond.
Capital One expects the incident to generate “incremental costs of approximately $100 to $150 million in 2019,” according to the company. “Expected costs are largely driven by customer notifications, credit monitoring, technology costs, and legal support.”
This is the latest in a seemingly endless series of hacks including the Marriott hacks, the Equifax hack, and the Sony hack, which are largely the result of companies not properly protecting the information of individual citizens. Where that information ends up varies, from Russia to North Korea to places unknown.
What Happened to the Capital One Data That Was Lost?
The dark web is the world of the criminal underground, where data is bought and sold by criminal actors—including nation states—and used to fund nefarious activities. A 2019 study from the University of Surrey indicated that the number of dark web listings that could harm an enterprise has risen by 20 percent since 2016.
But the dark web is also a marketplace to buy and sell credit card numbers, guns, stolen subscription credentials, Netflix account passwords, and more. A “lifetime” Netflix premium account goes for $6, but you can also hire someone to break into someone’s computer. The sky’s the limit.
And for now, it’s safe to assume that the stolen personal information and social security numbers of Capital One applicants can be found on the dark web, too, at least until proven otherwise.
Why Was Our Information Stolen? Where Did It Go?
“I am deeply sorry for what has happened,” said Richard Fairbank, the CEO of Capital One, in a Capital One press release. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Cybersecurity experts aren’t listening to the lip service. “Did we learn nothing from Equifax?” asks Bob Sullivan, host of the podcast Breach. “The company statement uses absurdly twisted language: ‘No Social Security numbers were compromised … other than 140,000 Social Security numbers.’ When will companies learn to be straight with people when these incidents occur?”
Therein lies the crux of the problem.
Our data is being stolen, sold, and bought with very little awareness for public safety and security. The issue is threefold: People must learn to better protect themselves, governments must learn to better protect citizens, and companies must learn to better protect people’s data.
Last week, the Federal Trade Commission reached a settlement with Equifax to pay $125 to U.S. citizens impacted by the 2017 attack, totaling up to $425 million in restitution. This is predicted to cost Equifax more than $700 million total. And cyberattacks cost banks more than any other industry—up to $1 trillion dollars per year and growing as the rate of attacks climbs rapidly, per Accenture.
In order to combat these attacks, companies must develop security systems that can sustain attacks and swiftly respond to them. This means using the latest technologies to detect and avoid potential hacks. And that starts with AI.
“One of the things we are seeing is that more and more companies are using AI for cybersecurity,” says Ben Lamm, CEO of AI company Hypergiant. “We have to put humans first and make sure we are protecting their personal identification. Using AI to improve the security of banking institutions is a natural step.”
Beyond punitive damages, the U.S. government isn’t doing enough to protect us either. While Senators Elizabeth Warren and Mark Warner have been active in fighting for broad legislative changes that hold companies accountable for the loss of information, Congress hasn’t played ball. So far, little has been done to safeguard the public. If the Equifax hack wasn’t enough, the Capital One snafu may not be either.
What Can You Do to Protect Yourself?
According to Capital One, the company will be “notifying affected individuals through a variety of channels” and will “make free credit monitoring and identity protection available to everyone affected.” But is that enough?
If you think you were affected by the hack, follow these simple strategies:
- Enroll in text or email alerts to track account activity.
- Monitor your credit cards for unusual or suspicious activity.
- Call the number on your card if you observe anything unusual.
- Report emails suspected of phishing activity to the Capital One security team: firstname.lastname@example.org. Do not reply to suspicious emails, delete them after forwarding to Capital One, and do not reply to suspicious phone calls.
Want to keep fighting? Press your congressmen and congresswomen to do more to protect your data privacy and demand reparations from companies that don’t do enough to keep you safe. Assuming your data is already lost puts you in a position of unnecessary victimhood; data loss is not a forgone conclusion.
“As individuals, we should learn a hard lesson and teach that to our kids,” says Amir Orad, CEO of SiSense, “Whatever you store online will probably get hacked one day, so be smart and selective about it.”