Alleged hacker Paige Thompson, a former employee of Amazon’s cloud-computing division, stands accused of exploiting a vulnerability in Capital One’s cloud system to illegally gain access to sensitive information from roughly 106 million customers in the U.S. and Canada, the Wall Street Journal reported. The hack is said to have begun in March, but came to light just days after Equifax agreed to pay as much as $700 million to settle claims stemming from a 2017 breach that impacted nearly 150 million Americans.
While data breaches are a constant risk in the current environment, consumers can take some basic steps to protect themselves, according to Daniela Perlmutter, vice president of marketing at cybersecurity firm CyberInt. By regularly monitoring their credit card transactions, using various account passwords, adding security questions and setting up their accounts to alert suspicious behavior, customers can prevent a data breach from turning into a personal financial crisis.
“For consumers, the main takeaway is that they should always be aware of the transactions in their accounts,” Perlmutter told FOX Business.
Capital One said the largest portion of compromised personal data was derived from consumers and small businesses that applied for a credit card service from 2005 to 2019. The exposed data included roughly 140,000 Social Security numbers, about 80,000 linked bank account numbers, credit scores, self-reported income, phone numbers and home addresses.
Aside from the financial impact to consumers, data breaches have grown increasingly costly for businesses. Capital One said it expects breach-related costs of up to $150 million this year, and a recent IBM study found that “mega breaches” that expose 50 million or more records cost an average of $388 million.
Financial institutions, including commercial banks, can learn from the Capital One breach by limiting the access that employees and contractors have to their cloud-computing systems, Perlmutter said. A well-prepared incident response team can help detect breaches as quickly as possible.
“For commercial banks, make sure to use ‘least privileges’ access for application and administrative accounts; this will reduce the risk of employees performing unauthorized activities intentionally or unintentionally or malicious activity by threat actors gaining controls of stolen accounts,” Perlmutter said.
While account monitoring can help consumers react to a cybersecurity incident, companies should ultimately be held responsible for preventing breaches in the first place, according to Marti Beller, a former MasterCard executive and president of Kobie Marketing.
“The onus for protecting that data and wielding it responsibly falls on the shoulders of the brands who collect it,” Beller said. “Brands need to adopt strategies that allow them to collect first-party data in a permissioned environment and provide clear value exchange that a consumer understands.”
Capital One said it is “unlikely that the information was used for fraud or disseminated by this individual.” The company plans to alert affected customers by mail.