Why is Capital One bragging about the part of its data that wasn’t stolen?

Capital One suffered a data breach. Its explanation of how many and which customers were affected is quite confusing — and it has an odd obsession with reporting on what wasn’t stolen rather than what was.

According its About page: “Capital One is . . . serving approximately 45 million customer accounts.” So how many of the 45 million accounts were compromised? Over 100 million. Confused? Read on.

Analyzing the Capital One Statement

Here’s Capital One’s statement on the breach, with my commentary:

Date: July 29, 2019

Capital One Financial Corporation (NYSE: COF) announced today that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.

Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.

Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.

So, putting aside the Canadians, the breach exposed 100 million people, or 2.2 times as many people as Capital One has customers. Apparently, if you are a U.S. Capital One customer, there is a 220% chance your account was breached. We’ll come back to the Canadians later.

Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.

The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.

Why are we talking about what wasn’t taken before we talk about what was?

With 45 million customers, 99% “not compromised” leaves 450,000 exposed. If it’s really 100 million customers, that would leave a million exposed.

Gee, what would a thief do with my name, address, phone number, email address, date of birth, and income? At least they don’t have my Social Security number — unless they look it up from the Equifax breach, but what thief would be creative enough to do that?

Imagine how much Capital One spent sending out solicitations to get credit card applications. Now think about how much it spent on security. Which do you think is larger?

Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

– Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information

– Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

Why is this in bold? Is it more important than the information about stolen Social Security numbers?

Now, for a moment, imagine you get a call that says it’s from Capital One. They know your email address and can read back to you transactions and payments from your account. Would you be smart enough to suspect it was fake? Many people wouldn’t.

No bank account numbers or Social Security numbers were compromised, other than:

– About 140,000 Social Security numbers of our credit card customers

– About 80,000 linked bank account numbers of our secured credit card customers

That’s a strange way to write about a breach, in terms of what wasn’t taken. Sort of like if we wrote about bank robberies this way:

“Nothing was taken in the robbery except $25 million in cash and the contents of 150 safe deposit boxes.”

Pretty silly. And 140,000 Social Security numbers compromised is 0.3% of 45 million accounts. Why didn’t they say that 99.7% weren’t affected? Maybe because of what comes next:

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.

Talk about burying the lede: If there are 6 million Canadian customers (a reasonable guess, since 6 million Canadian accounts were hit), that means one in six had the number stolen. It sucks to be Canadian — even your major breaches don’t get top billing.

We will notify affected individuals through a variety of channels. We will make free credit monitoring and identity protection available to everyone affected.

Safeguarding applicant and customer information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses.

The investigation is ongoing and analysis is subject to change.

Do you mean you might find out even more accounts were affected?

The honest version of Capital One’s release

Perhaps the worst part of this press release, even more than the burying of the bad news, is the passive voice. “Were compromised” ignores who did what. Apparently, the person who stole the information was a former employee of the Capital One’s web hosting company. This was an inside job. That information, of course, was not in Capital One’s explanation.

As a public service, I’ll rewrite the statement so it’s not misleading, doesn’t bury the lede, and is in the active voice.

On July 19, 2019, we determined that an individual working for one our contractors downloaded some of our customers’ personal information and posted it on a public site. This affects 100 million people in the U.S. and 6 million in Canada. Most of the posted data came from credit card applications.

The stolen data includes:

– 1 million Social Insurance Numbers of our Canadian customers.

– 140,000 Social Security numbers of our American credit card customers.

– 80,000 linked bank account numbers of our “secured” credit card customers.

– From credit card applications: names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.

– Portions of credit card customer status data, including credit scores, credit limits, balances, payment history, contact information, and transaction data from a total of 23 days during 2016, 2017 and 2018

We’ve fixed the data and have turned over information to the FBI, which has arrested the suspect. We don’t think she used it for fraud, because she appears to be an idiot. On the other hand, she posted it on the public site GitHub, so who knows who got it from there.

If this affected you, we’ll be in touch and offer free credit monitoring and identity theft protection.

Because “What’s in your wallet?” really isn’t a question thieves should know the answer to.