This week, Capital One formally issued data breach notification letters to an undisclosed number of its customers, stemming from unauthorized activity between January and April of this year.
There are a number of different ways a data breach can occur. While some of us might envision highly-skilled hackers infiltrating a network from the other side of the world, it’s just as likely that the culprit was someone who worked for the organization. Some data breaches expose account credentials or personal information belonging to millions of customers, while other breaches compromise 200 customers’ files through a lost or missing USB drive. However it comes about, the end result is the same: sensitive information has been released that could impact an individual’s identity.
That’s why it’s important to read data breach notification letters carefully, should you ever receive one. The letter will outline what information was accessed, how it was believed to have been compromised, what action the company will take moving forward, and instructions for the affected customers. If the situation warrants, the company may offer credit monitoring service and will provide details on how to sign up.
Capital One has had to issue such a letter this week to affected customers following an “inside job” data breach. According to the notification, a now-former employee looked at customer records without authorization; since those records contain personal identifiable information like birth dates, account numbers and Social Security numbers, Capital One has to treat this situation seriously.
A reported statistic from a previous Capital One data breach in 2014 highlights an interesting problem. While the overall number of data breaches continues to increase each year, the percentage of those data breaches that were caused by an employee with unauthorized access has remained fairly steady at around 30% of all data breach events.
There is no way of knowing why this employee looked up customers’ accounts—yes, we could playfully assume they were browsing the records looking for a cute baby name, but that’s not very likely. Instead, the company must assume that this former employee was stealing complete identities with the intention of using or selling them. So far, there have been no reports of identity theft or fraud traced back to this specific situation, but Capital One is not taking any chances. They’ve issued the data breach notification letter to affected customers, and are offering two years of credit monitoring service to help customers stay on top of any potential damage.
It’s important that any affected customers take full advantage of the free credit monitoring service. Since Capital One knows that the impacted data contained permanent identifiers like Social Security numbers, there’s a very real possibility of fraud stemming from the event.