Security experts have one key piece of advice for people who are trying to figure out whether their details were leaked in the Capital One data breach: Assume you’ve been compromised.
On Monday night, Capital One reported a data breach that affects more than 100 million credit card applicants. Even if someone hasn’t done business with Capital One, several other massive data breaches in recent years mean people should assume their personal details have been stolen — and consumers should take precautions to protect their identity.
“Though Capital One’s breach was internal, the fact still remains that safeguards were missing that allowed for the illegal access [of personal information]," said New York Attorney General Letitia James in a statement released Tuesday.
“It is becoming far too commonplace that financial institutions are susceptible to hacks, begging the questions: Why do these breaches continue to take place? And are companies doing enough to prevent future data breaches? We cannot allow hacks of this nature to become every day occurrences,” James said.
“With this breach we are not entirely clear on the extent of the data compromised, so it is important to react with a full-on security check,” said Robert Siciliano, founder and chief executive officer of Safr.me, a security education company.
How bad is the Capital One breach?
“This is Equifax bad,” said Siciliano, referring to the 2017 breach that compromised the data of more than 147 million people.
The breach affects about 100 million people in the United States and 6 million people in Canada, Capital One said in a statement to NBC News. The exposed information could include names, addresses, birth dates and credit histories — all key pieces of information identity thieves can use.
It gets far more serious for about 1 percent of the victims. Capital One said about 140,000 Social Security numbers and 80,000 bank accounts were potentially exposed in the data breach.
How can people find out if they’re affected?
Capital One plans to notify affected individuals “through a variety of channels,” which could mean by mail, phone, email, or alerts when they log into their accounts.
However, security experts advise that people should take precautions now to protect their identity, instead of waiting to find out if their information was included in the breach.
Get a credit freeze
Between the Capital One incident and previous data breaches from Equifax, Marriott, Home Depot, and Target, to name a few, it’s a safe bet that at least some data on most Americans has been exposed.
A credit freeze can offer an extra layer of protection by restricting creditors’ access to a person’s credit report. If a thief applies for a fraudulent line of credit, most creditors would try to look at the applicant’s credit report and see it’s locked.
The Federal Trade Commission recommends people contact each of the three credit agencies to request a freeze.
Equifax: Equifax.com/personal/credit-report-services, 800-685-1111
Experian: Experian.com/help, 888-EXPERIAN (888-397-3742)
Transunion: TransUnion.com/credit-help, 888-909-8872
Each agency will give a person a unique pin. Whenever consumers apply for a new line of credit or undergo a background check for a job, they’ll need to call the agencies and provide their unique pins to get their credit freeze lifted. This process can be streamlined if someone knows which of the three credit agencies will be contacted in regard to viewing their report.
Sign up for free credit monitoring
Capital One plans to offer free credit monitoring and identity protection services to everyone who was affected by the breach.
While it may feel hard to trust a company that didn’t live up to its promise handling your personal data, Siciliano advises people to take full advantage of these offers from Capital One.
Credit monitoring allows people to regularly check for changes to their credit score, which could alert them to fraudulent lines of credit that have been opened using their stolen credentials.
There are also several free sites, such as Credit Karma and WalletHub, which allow users to regularly monitor their credit scores.
Change your passwords
While Capital One said log-in credentials weren’t compromised, security experts still advise everyone to change their passwords.
After people change their passwords, Siciliano said they should “sign up for any push alerts or credit card activity notifications Capital One might offer through their mobile app or website.”
Password managers such as LastPass can also be a great way to generate a unique, alphabet soup-looking password that will make it harder for hackers to crack,versus using something simple such as a maiden name or Password123.
Whatever you do, reusing old passwords, or using the same one across multiple accounts is a major security fail. CreditCards.com found that 8 in 10 people in the U.S. have admitted they still reuse their passwords.