Another day, another data breach.
Just one week after credit reporting giant Equifax agreed to pay up to $700 million to settle a lawsuit over a 2017 data breach that left some 147 million people exposed, another major financial player has admitted that it was hacked.
Capital One Financial, one of the largest issuers of credit cards in the United States and the nation’s seventh-largest commercial bank, announced late Monday that a hacker had obtained the personal information of about 106 million of its credit card users.
“It’s another huge data breach,” said Thomas Johnson, vice president of public and board relations at the Better Business Bureau, which has been working to educate its members about cybersecurity threats.
Johnson said that while companies have “improved greatly” in their efforts to recognize and deal with cyberattacks they still need to do far more.
“The threat is constantly evolving,” said Johnson. “It’s something that companies have to take seriously. … This is just kind of the new norm now for companies that they really have to be on top of this because companies are hacked all the time.”
Although major data breaches at large corporations attract the most headlines, Johnson said that hackers often deliberately target smaller companies that might not prioritize cybersecurity because of financial constraints.
“You hear about the big, big companies and the cybersecurity attacks that hit them but a lot of times its small businesses that are being hit,” said Johnson. “Small businesses are just hit over and over. They literally have all of their information frozen and boxed off and they can’t get to their data … they will be asked to pay a ransom that can be from several hundred to several thousand dollars. And if they don’t pay it they don’t get their data back, so most people just pay the ransom. It’s really a big problem for business today.”
Johnson also notes that small businesses without adequate data protection can also create vulnerability for larger companies.
“A lot of the attacks that we’ve seen in cities and big companies has actually been through one of their vendors who has weak cybersecurity,” said Johnson.
And staff untrained in recognizing cyber threats are also a target for hackers.
“A lot of these cybersecurity breaches start with simple phishing emails,” said Johnson. “Unless the entire staff of a company has training to watch out for these fake emails it’s very easy to get tricked.”
As a consumer, if you believe your data may have been compromised, Johnson said that one of the best ways to protect yourself is to contact the big three credit reporting bureaus – Equifax, Experian and TransUnion – and ask them to freeze your credit.
“If you freeze your credit report nobody can get in there and steal your information,” said Johnson. “You can do it for any amount of time that you want. If you want to protect your information that’s a great way to do it.”
And of course, routinely checking credit card and bank transactions for any suspicious activity is now a must, as is getting a copy of your credit report. One indicator that you may have been hacked is if you see a number of very small charges.
“You’ll see a couple of transactions for 5 or 10 cents, that kind of thing, and once (hackers) have made sure that they have access to your bank account or credit card and its working then the charges will come flying in. And all of that will show up on a credit report,” he said.
If you are thinking of asking for a credit report or credit freeze here are customer service contact numbers for the three main credit bureaus:
• Equifax: 866-349-5191
• TransUnion: 800-916-8800
• Experian: 888-397-3742
Blase Ur is an assistant professor of computer science at the University of Chicago. Below, his tips for protecting yourself against data breaches.
1. Use different passwords everywhere. “If for one data breach your password is revealed, then you’ll be accessible [to hackers] on all these different sites,” Ur said.
2. To better manage your different passwords, use password manager software. “You might think I have a really strong and hard-to-guess password that I’ll use everywhere, but if any company suffers from a data breach … you’re basically toast,” he said.
3. Enable two-factor authentication. “This is the case where you type in your username and password, and then you have to enter a code that comes up on your phone, for instance,” Ur said.
4. Be careful of phishing emails. “Sometimes they’re laughable, like some foreign prince wants to give you money and then you have to pay some processing fees to get this money. But now that all this personal information is being revealed from data breaches, we’ve seen more targeted phishing emails,” Ur says. “I think a big worry is this will become way more targeted in the future. If you get an email about your last vacation, it might just be a scammer.”
5. Think about what kind of information you are sharing with companies. “When you’re sharing information with companies, think about whether they actually need it,” Ur said. “We live in an age where it’s very natural to give companies information to get services, but just be wary. You have to be a little bit rebellious and say, ‘No, I don’t want to give this information.’”
Nicole Cardos contributed.