A Seattle woman was arrested Monday in connection with a massive Capital One data breach affecting 100 million people in the U.S. and 6 million people in Canada. This occurred just days after credit bureau Equifax settled to pay up to $700 million in restitution after its 2017 data breach.
The FBI arrested Paige Thomas, a software engineer, for stealing sensitive information including social security numbers, credit scores, balances and contact information off servers storing Capital One data, according to the Department of Justice. She shared information about the theft on GitHub, a software development platform.
Capital One issued a statement saying no credit card account numbers or log in credentials were compromised and neither were 99% of social security numbers, but added that about 140,000 credit card customer's social security numbers were compromised, along with 80,000 linked bank account numbers of secured credit card customers.
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," Richard D. Fairbank, Capital One Chairman and CEO, said in a public statement. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
As Capital One has offered to provide free credit monitoring for anyone affected by the breach, cyber security experts are urging consumers to be proactive in protecting their private information.
"We all need to practice a certain amount of self defense because companies and the government aren't there to do as complete a job as we would otherwise like," Eugene H. Spafford, professor and executive director emeritus at the Center for Education and Research in Information Assurance and Security at Purdue University, tells TIME. "[The data breach] does illustrate that there is an underlying, ongoing issue with how organizations collect and protect our personal information. And consumers should be worried about that."
Here are four things experts say consumers can do if they fear their data has been breached.
Credit monitoring and identity protection will be made available to every one of the millions of people affected by the Capital One data breach.
With credit monitoring, any changes to credit will be reported to the individual, for example if an account is opened under the individual's name. Utilizing credit monitoring doesn't impact a credit score.
Spafford urges people to accept credit monitoring, especially those whose credit is already in a vulnerable position.
"For them this is especially problematic," he says. "If their information is taken and used, if they're somewhat at the borderline it's going to be very difficult for them to recover."
The three main credit bureaus, Equifax, Experian and TransUnion, offer free yearly credit reports. Spafford recommends consumers take advantage of the reports and request reports from one of the three bureaus every four months.
Along with credit monitoring, individuals can request a credit freeze from all three credit bureaus, so that anyone attempting fraud such as opening an account in someone else's name or make changes to information like an address will have to provide a pin or a password to the credit bureau in order to do so. Credit can continue to be built even while it is frozen, but creditors who do not already have access to the credit score will not be able to access it unless it is temporarily unfrozen by the individual owner.
Those interested in freezing their score can call the three bureaus at: Equifax at 800-685-1111, TransUnion at 888-909-8872 and Experian at 888-397-3742.
A credit freeze has no impact on credit scores and doesn't prevent from requesting yearly credit reports. It is also free to lift the credit freeze when requested by the individual.
Shira Rubinoff, President of social media monitoring program SecureMySocial and cybersecurity incubator Prime Tech Partners, says there are several ways a person can secure their online data before a breach ever occurs.
Don't fall victim to phishing scams by giving personal information over the phone, and don't click on emailed links from unrecognized sources. Avoid reusing the same password and enable two-step verification where possible.
"People haven't really understood that they can take ownership of their own security in different ways," Rubinoff tells TIME. "Security is only as strong as its weakest link."
If someone calls asking for personal information, ask for a phone number to call back to, hang up and verify if the caller is legitimate, she says. Similarly, when an email is requesting personal information, call the bank or agency to verify that the email is legitimate.
Spafford says many companies aren't spending as much as they should on cybersecurity.
"There isn't a huge amount of incentives for large organizations like Equifax or Capital [One] to fully secure that data because it's expensive and it's difficult," he says. "So as a result, people need to be somewhat defensive."
At least 21 states so far in 2019 have proposed legislation that would step up cyber protections for consumers. Many are attempting to expand the definition of personal and sensitive information to include biometric information and passwords. States like New York now require a wide variety of agencies and businesses to disclose a data breach to the individuals affected.
"Although there are a lot of things going on in the political arena at the moment, this is one of those things that could stand some greater regulation at either state or federal level," Spafford adds. He believes agencies like the Federal Trade Commission needs to step in to help secure private information.
Jasmine Aguilera