Capital One cybersecurity breach exposes millions of Canadians

Jul 30, 2019 | News

Capital One was the victim of a cybersecurity breach leaving millions of customers’ personal information at risk. (REUTERS/Brendan McDermid)

Devin Linh Nam

Six million Canadians had their personal information lifted from Capital One’s databases without their permission on July 19.

Capital One Financial Corporation said in a press release, many of their American and Canadian customers’ personal data was accessed by an unauthorized individual.

Many customers in this case means about 106 million people in total, with about six million in Canada affected by the data breach.

Once the credit card company was aware of the breach, the company immediately addressed the cybersecurity vulnerability, Capital One in the press release said on Monday.

The Federal Bureau of Investigation (FBI) arrested a woman after a raid in her Seattle, Wash., home on Monday, seizing a number of digital storage devices housing the stolen Capital One customer information. Paige Thompson, 33, is in custody for “computer fraud and abuse,” said the U.S. Department of Justice in a press release Monday.

Thompson was found out because of her posts about the breach on GitHub, an information-sharing site, and was reported by another GitHub user.

An event like this is possible because there isn’t enough enforcement from the government ensuring companies are held responsible to protect personal data, said Ali Dehghantanha, assistant professor and director of the Cyber Science Lab at the University of Guelph.

“You have seen similar attacks in the past,” Dehghantanha said. “The clients can’t do anything … and, the issue is that the companies are not deploying proper security.

“Until we have those demanding regulations to make the companies see the danger of losing their client’s data, I would not see much momentum from the companies to invest in their cybersecurity,” he said.

The recently established Canadian Centre for Cyber Security is a new government program providing advice and knowledge when it comes to cybersecurity.

“Cyber defence is a team sport,” the centre stated in an email. “Government, industry, academia, and civil society must all work together to strengthen Canada’s cybersecurity.”

In the meantime, before any regulations or oversight can be put in place, millions of Canadians are worried about their exposed personal data.

The personal information Thompson accessed includes names, addresses, postal codes, phone numbers, email addresses, dates of birth, social security numbers and self-reported income figures.

In addition to personal information, customer banking information like credit scores, credit limits, balances and payment history were also accessed by Thompson.

Dehghantanha said with this information people are at risk of a wide range of attacks, from “simple credit card stealing” to more advanced identity fraud, like acquiring loans and mortgages on their behalf.

Many have come to Dehghantanha worried about their information in the wake of the announcement and he said he is telling people to do a number of things to protect themselves, including knowing whether their information has been shared directly or indirectly with Capital One, freezing accounts associated with Capital One and accepting support from Capital One if they have been contacted by the company about the breach.

The RCMP is handling the investigation in Canada.

“The RCMP is maintaining situational awareness of this investigation and prepared to assist upon request,” the Mounties said in a prepared statement.