Capital One Security Alert
September 18, 2019
By now, news of yet another data breach resulting in unauthorized access to personal information — especially financial information — has become so frequent as to seem almost commonplace. Notwithstanding, the recent data breach affecting Capital One was, in many ways, a singular event.
The magnitude of the Capital One data breach was unprecedented in many respects. The number of Canadians affected by the breach, the volume of information obtained and, particularly, the nature of the information lost were all on a scale not previously seen, in Canada or elsewhere.
According to information provided by Capital One, approximately 6 million Canadians (or one in every six Canadians) have had the privacy of their personal information compromised. Part of the reason that such a huge number of individuals has been affected is the time frame involved. The breach affected, not just those who held credit products issued by Capital One, but those who applied for such products (whether or not they were ever obtained) for a fifteen-year period, from 2005 through early 2019. The personal information obtained through the breach included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, postal codes, phone numbers, email addresses, dates of birth, income, credit scores, credit limits, balances, payment history and contact information.
While a privacy breach involving any of the above information is problematic for those affected, the most significant aspect of the Capital Once breach is that the Social Insurance Numbers (SIN) of 1 million Canadians were obtained by an unauthorized person or persons as a result of the privacy breach. A SIN is the “gold standard” of personal identification for Canadians — it is used to file tax returns, obtain government benefits, and open bank accounts. Having someone’s SIN makes it easier to obtain other identifying information and that information, in the aggregate, facilitates identity theft.
Anyone who has been the victim of a personal information data breach can take steps to mitigate the possible impact of that breach. Affected credit cards can be cancelled and re-issued and bank account numbers changed. Individuals can change passwords and e-mail addresses. While all of that is time consuming, aggravating and inconvenient, it can be done.
The situation is different when it comes to SINs. SINs are issued by the federal government and the government’s policy is to NOT provide an individual with a new SIN where the original number is compromised in a data breach. (A new SIN can be requested only in circumstances in which an individual can prove that his or her SIN was used fraudulently.) The stated reasons for that policy, as outlined on the Service Canada website, are as follows:
A new Social Insurance Number does not protect you from fraud and identity theft
A new SIN is not a fresh start or protection from fraud or identity theft.
If someone else uses your old SIN and the business does not check the person’s identity, you may have to prove you were not involved in the fraud or pay the impostor’s debts.
A new Social Insurance Number is a complex affair
The Government can only share your new SIN with the federal departments and agencies that use your SIN.
This means that it would be up to you to provide your new SIN to all the financial institutions, creditors, pension providers, recent and current employers, and any other organizations with which you shared your old SIN.
Not doing so or failing to do so properly risks not receiving benefits or leaves the door open to subsequent fraud or identity theft.
You double your monitoring efforts with two Social Insurance Numbers instead of one
A new SIN does not erase your old SIN. You would therefore need to monitor your accounts and credit reports for both SINs on a regular and ongoing basis. This would put added burden on you. Numerous SINs multiply the risk of fraud.
Consequently, individuals whose SINs have been obtained by unauthorized persons through the Capital One hack will need to be vigilant, now and for some time into the future, to guard against unauthorized use of that number. Such individuals may rightfully expect Capital One to take responsibility for and cover the cost of such monitoring efforts, and the company has indicated that it will take the following actions.
The company began directly notifying Canadians affected by the cyber incident by email on August 7, 2019, and that process will continue by e-mail or regular mail, over several weeks. The difficulty, of course, is that e-mail addresses were one of the kinds of information obtained as part of the data breach. Consequently, anyone who receives an e-mail from Capital One will need to take steps to ensure that such e-mail is not part of a further phishing attempt. Any suspicious e-mails received should be forwarded, without opening (and especially without clicking on any links) to firstname.lastname@example.org In order to help those affected spot fraudulent emails or messages, Capital One has posted a number of tips on its website at https://www.capitalone.ca/help/fraud-protection/.
Capital One has also announced that it will not be contacting anyone affected by the data breach by telephone or text. Consequently, any phone call or text which purports to be from Capital One is fraudulent and should be ignored. Where personal information has mistakenly been provided in response to such a call or text, the following steps should be taken:
- call Capital One to report that account information may have been compromised;
- sign in to Capital One online banking and change passwords; and
- check accounts for suspicious activity.
Finally, the company has indicated that it will provide and pay for two years of credit monitoring and identity theft insurance from TransUnion to everyone impacted. Details of the data breach and the company’s response are outlined on the Capital One website at https://www.capitalone.ca/facts2019/.
One of the reasons that so many SINs were compromised in the Capital One data breach is that Canadians have become accustomed to being routinely asked for their SIN in situations in which that request shouldn’t be made. And, in too many cases, Canadians routinely provide those SINs without fully considering the potential risks.
The number of instances in which individuals are required to provide their SINs is actually quite limited, and such information can generally be requested only by an employer, by agencies of the federal government, or by private institutions (like banks or credit unions) which are required to provide taxpayer-specific information to the federal government, especially the tax authorities, and then only in specific circumstances.
Notwithstanding, SINs are requested in any number of situations in which they don’t have to be provided, including the following:
- proving your identity (except for specific government programs);
- completing a job application before you get the job;
- completing an application to rent a property;
- negotiating a lease with a landlord;
- completing a credit card application;
- cashing a cheque;
- completing some banking transactions (mortgage, line of credit, loan);
- completing a medical questionnaire;
- renting a car;
- subscribing to long distance or cellular telephone services;
- writing a will;
- applying to a university or college; and
- making funeral arrangements.
Somewhat surprisingly, it’s not actually against Canadian law for an individual or company to ask for a SIN in circumstances in which they aren’t entitled to it. Consequently, the onus falls on the individual to refuse to provide his or her SIN in such circumstances. That’s not always as easy as it sounds — for instance, SINs are routinely requested in residential tenancy applications and, in a tight rental market, individuals may be reluctant to refuse where doing so could mean losing out on hard-to-find rental accommodation. Individuals will therefore need to determine, in each instance, whether the risks inherent in providing one’s SIN number are justified in the circumstances. And no matter what those circumstances are, the best advice is always this: if you don’t have to disclose identifying and/or personal financial information, then don’t!