Following complaints from customers, the Federal Office of the Privacy Commissioner of Canada is launching an investigation into the data breach that occurred at Capital One, which affected six million Canadians.
In addition to the six million Canadians, the Capital One breach also exposed the data of about 100 million US customers, including about 140,000 Social Security numbers and 80,000 linked bank account numbers.
On top of credit card application data – such as phone numbers, email addresses, birthdates, and information on self-reported income – the cyber attacker was also able to access consumer credit scores, credit limits and balances, as well as fragments of transaction information. Said transaction information was specific to certain days during the years 2016, 2017, and 2018.
The Canadian Press reported that Capital One had informed the federal privacy regulator of the breach the moment it identified the cyberattack.
Capital One warned consumers about receiving calls from someone claiming to be with the company, advising clients not to provide any information. The bank announced that it would notify affected individuals through letter or email, never by phone.
This is not the only cyber event that the Office of the Privacy Commissioner of Canada is currently handling. Over the past few months, the agency has been investigating the circumstances of the 2017 Equifax breach and, more recently, the Desjardins leak just last month.
In April, the federal office concluded that Equifax had failed in its privacy obligations, listing a number of issues such as poor security safeguards; retaining information regarding the attack for too long; inadequate consent procedures; a lack of accountability for Canadians’ information; and limited protection measures offered to affected individuals after the breach.
By the end of the investigation, Equifax had to pay affected clients as much as US$700 million.
Last month, the office said that it would launch an investigation into the data breach incident that impacted almost three million members of financial services company Desjardins Group. The office explained that the probes, which will be conducted together with its provincial counterpart, will determine whether or not the financial company was compliant with federal and provincial laws on personal information protection.
Desjardins has since offered a protection plan to all its members – not just the ones affected by the leak.