Business Columns & Blogs

Who’s in your wallet? Capital One breach shows vulnerability of online financial data

The criminal element used to have to work a lot harder to steal your personal information.

Whether through lost or stolen wallets, credit-card slips retrieved from trash receptacles, numbers lifted directly from cards that had been handed over at merchants for payment, assembling lists of names and account information was a slow and laborious job.

But just as the miracle of digital technology has revolutionized and streamlined media, entertainment and retailing, so too has it made the harvesting of private information for illegal purposes far more efficient.

Why go to the risky and grubby work of physically collecting personal information — names, addresses, Social Security numbers, credit card and bank account numbers — when someone has not only done the work for you (and in volumes you could never hope to duplicate on your own through conventional methods) but made it available with a few keystrokes?

The Capital One data breach is merely the latest in a depressing series of announcements about information thefts, although this one is notable for the prominence of the company, the size of the theft (100 million individuals in the United States and 6 million in Canada, according to the company), that the alleged perpetrator is from Seattle and that it was (again allegedly) an inside job, the perp having worked for Amazon’s cloud-service operations that hosted Capital One’s credit-card data.

Public reaction tends to be muted to these announcements, not just because there have been so many of them but because:

Individuals can’t on their own do much to stop the theft of data short of disconnecting from the digital world. You can take steps to protect physical assets like your home or your car, although those measures are hardly guaranteed to repel all miscreants, but even if you take steps to protect your information (like not handing it over to people calling on telephone scams), there’s so much information about you in the hands of banks, insurers, health-care providers and the government whose security you have no way of ensuring.

The theft of the data may produce some spectacular numbers in the aggregate — 100 million individuals! — but the actual impact at the individual level is much tougher to see or add up to get a sense of how big the problem is. Monetary losses due to data theft might not even get reported to authorities (the victim doesn’t notice until it’s too late or is too embarrassed), and thus, outside of the occasional anecdote, generate little public attention.

Announcements of security breaches and data thefts are often accompanied by reassurances that nothing of consequence was taken and the incident isn’t as bad as it may appear. Consider this statement from Capital One: “Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised. No bank account numbers or Social Security numbers were compromised, other than: About 140,000 Social Security numbers of our credit card customers (and) about 80,000 linked bank account numbers of our secured credit card customers.”

That’s a pretty big “other than,” especially that second number. Since those accounts are, by definition (and Willie Sutton), where the money is, that data will likely pique the interest of those wanting to get at it.

But, you argue, those accounts are password protected. Those passwords reside somewhere in the digital world. If the digital thieves were talented enough to find the account numbers (or worse, have some inside help) in the first place, would you like to bet against their ability to penetrate the security walls protecting the accounts themselves?

Assurances that sufficient security protections are in place are the digital equivalent of a Titanic moment waiting to happen.

And it will happen. The Capital One breach will not be the last, and the breaches to come will be larger and involve more sensitive, more potentially damaging data about our financial assets.

How can we be so certain? Two reasons.

First, the criminal element has a work ethic and talent for innovation that is the envy of the legitimate, law-abiding world. As fast as some technological device or system is introduced, the crooks are hard at work devising ways to exploit it.

That leads us to the second reason. Advancements in electronic finance and digital payment systems are looming. Now Facebook, already awash in lots of data about you, wants to set up its own e-currency, which will mean even more collecting of sensitive information from those who want to use it, which will lead to even more concerted efforts to steal that information and the money it represents.

As individuals we face some decisions about the risk-reward calculations of using these new payment schemes. If we decide information security does matter, then that may become as much a competitive feature in the marketplace as convenience and cash-back and airline mileage awards are now.

As a society we face the same calculations, on a much broader scale — how much do we value a faster, more convenient way of storing and using our money vs. what we’re spending on losses and security measures.

Capital One built a national credit-card brand through the marketing tag line, “What’s in your wallet?” Since the wallet increasingly is digital rather than physical, some better questions to ask are: Who’s in your wallet? What are they doing there? And who let them in?

Bill Virgin is editor and publisher of Washington Manufacturing Alert and Pacific Northwest Rail News. He can be reached at