The Industry

Capital One Took Nearly Two Weeks to Disclose Its Hack and Customers Still Don’t Know if They Were Affected

The Capital One Bank Headquarters is pictured on  July 30, 2019 in New York City. - A hacker accessed more than 100 million credit card applications with US financial heavyweight Capital One, the firm said on July 29, 2019, in one of the biggest data thefts to hit a financial services company. FBI agents arrested Paige Thompson, 33, a former Seattle technology company software engineer, after she boasted about the data theft on the information sharing site GitHub, authorities said. (Photo by Johannes EISELE / AFP)        (Photo credit should read JOHANNES EISELE/AFP/Getty Images)
Capital One’s customers aren’t learning about the hack from Capital One.
Johannes Eisele/Getty Images

It has been more than a day since Capital One disclosed one of the largest thefts of personal information from a bank ever, but if you’re wondering if your data was in that trove, it appears you’ll have to wait. The hack affected 106 million customers in the United and Canada, most of whom applied for Capital One credit cards, and Capital One said it would notify the victims. While I did not check with all of those customers on Tuesday night, I did speak to more than a dozen Capital One customers across the country and none had received any communication from the bank about the hack yet. The company also has not posted any sort of portal to say if your information was compromised. Nor did it respond to my multiple requests for comment about plans to notify customers individually. Meanwhile, it’s becoming hard to miss the many, many ticked off tweets like these:

Is Capital One leaving its customers in the dark? Or is a wait of this length or longer normal when it comes to notifying customers after a hack?

The company was first alerted to the hack—which Capital One is calling an “incident”— on July 17. Federal authorities arrested and charged the alleged hacker, Paige A. Thompson, a 33-year-old Seattle resident who went by the name “erratic” online, within 10 days of the bank discovering that its systems had been compromised. It was only on Monday evening, when court documents detailing the FBI’s investigation were released, that Capital One issued a press release on the matter. On Capital One’s website now, a banner directs customers to a fact sheet and FAQ about the hack, but the banner only appeared Tuesday night. The fact sheet does not say when consumers can expect to hear about whether their particular information was compromised. It does warn consumers about phishing and phone scams targeting potential victims of the hack.

While there’s no federal requirement about informing people who may have had their data exposed or stolen when a company has been hacked, most states have such laws. “Most of the state data breach notification laws are based on the California law, which was enacted in 2002,” says Jamie Winterton, director of strategy for the Global Security Initiative at Arizona State University, where she specializes in privacy and cybersecurity. “And that basically says that notifications must be made in the most expedient time possible and without unreasonable delay and consistent with law enforcement needs,” Winterton added. In the European Union, for comparison, firms are required to notify affected customers within 72 hours of discovering a breach. It’s been nearly two weeks since Capital One first got an email tipping it off to the fact that tens of millions of people’s credit card applications had been pilfered, including 140,000 Social Security numbers of Capital One credit card customers and about 80,000 bank account numbers linked to Capital One cards. Although Capital One said it believes it is “unlikely that the information was used for fraud or disseminated by this individual,” the information was sitting on GitHub after the hacker posted it.

The “general best practice is you notify customers as soon as you know who was affected,” according to Josephine Wolff, a professor of cybersecurity policy at Tufts University (and a Slate contributor), who added that it’s “definitely not best to wait until after an indictment since in many cases there isn’t any indictment.” Wolff told me she suspects that telling customers closer to when Capital One learned of the attack wouldn’t have compromised the investigation, since in this case, the hacker openly boasted about stealing the data in Slack channels and on Twitter before the colossal hack was discovered by the firm. When Facebook, for example, learned it experienced a hack that affected potentially 50 million users, it notified the public the same week, even before the company knew the identity of the attacker. About two weeks after sharing it had been hacked, Facebook clarified how many people were impacted and created a tool for users to check to see if their data was compromised.

“Whatever the law says, it’s not good corporate practice to leave consumers in the dark about their data being exfiltrated,” says Ryan Calo, a law professor and director of the Tech Policy Lab at the University of Washington.

Beyond helping customers know whether they need to take security precautions—like freezing their credit and changing their passwords—sending notifications to potential victims of the hack is also just a good business practice, according to Winterton. Last month, the Justice Department announced that Equifax’s former chief information officer was sentenced to prison for four months after pleading guilty to charges of insider trading for selling his stock before Equifax went public about its massive data breach in 2017. “You don’t want to be sitting there with a secret breach on your plate that is going to be inhibiting what you might do as a company, whether it be acquisitions, selling something off or stock trading and purchasing,” Winteron said. “It’s best to be above board with everybody.”

Capital One’s decision to call the hack an “incident” instead of a breach may well be strategic. “Lawyers make a distinction between security ‘breaches’ and ‘incidents.’ Breaches require public notice, most incidents do not,” Berkeley law professor Chis Hoofnagle, who specializes in privacy law, explained on Twitter. “Incidents can be worse than breaches. But from a business perspective, it’s better to have an incident than a breach, even if the incident is bad.” Although Capital One’s firewall was breached and data was stolen, on the company’s press release the word “breach” is nowhere to be found. The word “incident” appears 17 times.

On Monday evening, Capital One CEO Richard Fairbank apologized for the “understandable worry” the breach has caused customers. The bank said in its press release that it does plan to “notify affected individuals through a variety of channels” and that it will provide “free credit monitoring and identity protection available to everyone affected.”

But here’s the problem: Once data is released online, especially when the hacker boasts about the hack to her friends and dumps it in an accessible place like GitHub, it’s beyond Capital One’s control. The data could have already been downloaded and copied and distributed elsewhere. All of which is why it’s so important to give customers as much information as possible as soon as possible about what happened.