This story is so familiar it barely warrants reading past the headline: another day, another massive data breach. A familiar name, a familiar industry, a huge haul of personal information (to date with no evidence of fraudulent use), and so it goes on. However there are a few items that are noteworthy about this mega data breach announced today by Capital One:
1. 100 million identities put this in the top 10 data breaches of all time. That there are huge databases of PII which are not more heavily segregated across the network will be subject of much navel gazing.
2. The perpetrator has been caught and charged (case pending) which is extremely rare in these type of cases, especially that the accused is US based (and a woman), and appears to have been 10 days between discovery and press release.
3. Compromised Information dates back to credit card applications from 2005 - 14 years ago. No doubt, data retention policies and technologies will be looked into.
4. Over 140,000 Social Security Numbers have been impacted, which of course are a lot more complex to update (if this is even possible) than a credit card number.
5. There is already a financial estimate associated with the 2019 costs to the business - over $100m. Nor clear how this has been reached, nor how much may be covered by insurance (and the related deductible) but substantial by any measure.
So there it is - I'm guessing Capital One have a substantial cyber insurance program (and no doubt a few frantic calls from CUOs to Heads of Cyber of a "are we on this risk?" nature, to contend with) but this type of large loss should not be a surprise to the insurance industry. What is harder to discern is how these types of events could have the potential to spread across different companies or sectors. It is that accumulation potential that we spend much of our time focused on. Now that would be headline grabbing for all the wrong reasons.
The bank said "the largest category of information" accessed from applicants who applied for credit cards between 2005 and 2019 was personal information including names, addresses, phone numbers, email addresses, dates of birth and self-reported income.