News Capital One Data Breach Affects 100 Million Americans

bit_user

Splendid
Ambassador
Most of the compromised information came from consumers and small businesses that applied for a credit card between 2005 and 2019.
These guys should have to answer for why they need to keep information from 14-year-old credit card applications! Especially if you didn't even get the load or credit card, why on earth do they still need that information? There's no good reason - they're just data hoarders.

This wouldn't happen if the US had GDPR.
 
Reactions: TJ Hooker

USAFRet

Titan
Moderator
Mar 16, 2013
144,465
8,648
175,340
22,536
This wouldn't happen if the US had GDPR.
About that...

Spain, 2018:
https://www.theinquirer.net/inquirer/news/3035980/telefonica-breach-exposes-personal-data-of-millions-of-customers

Germany, 2019:
https://www.theguardian.com/world/2019/jan/08/germany-data-breach-man-held-in-suspected-hacking-case

France, 2017:


EU wide:
"Over 59,000 personal data breaches reported across Europe since introduction of GDPR, according to DLA Piper survey"
 

bit_user

Splendid
Ambassador
EU wide:
"Over 59,000 personal data breaches reported across Europe since introduction of GDPR, according to DLA Piper survey"
Sorry, I didn't actually mean that data breach wouldn't have happened, just that the impact would've been far smaller if they didn't hold onto that data for so long, with no apparent purpose or business necessity.

Apologies for my sloppy wording, but thanks your contributions, nonetheless.
 
Reactions: TJ Hooker

USAFRet

Titan
Moderator
Mar 16, 2013
144,465
8,648
175,340
22,536
Sorry, I didn't actually mean that data breach wouldn't have happened, just that the impact would've been far smaller if they didn't hold onto that data for so long, with no apparent purpose or business necessity.

Apologies for my sloppy wording, but thanks your contributions, nonetheless.
I have had people attribute magical powers to the GDPR, and the earlier UK Data Protection Act.

Just last week, the instructor of a class I was in (Cybersecurity):
"A European website can't collect any data on you. No personal info at all."

I countered with:
'Yes they can, if they have a need and they inform you of it"

Him:
"NO! They can't, at all."

'So if I buy something from a German website, how do they know where to ship it to, and how do they get my money?'

He then just quickly moved on to the next topic.


And here, there IS a requirement to retain records like that for X years.
The aftermath of the Enron scandal, financial companies are required, by law, to retain records like that for some number of years.
 
Reactions: bigdragon

TJ Hooker

Champion
Ambassador
And here, there IS a requirement to retain records like that for X years.
The aftermath of the Enron scandal, financial companies are required, by law, to retain records like that for some number of years.
Why on earth would they be required to keep personal information of their customers for extended periods of time? I assume you're referring to the Sarbanes–Oxley Act, which applies to financial records, not customer info...
 
Reactions: bit_user

USAFRet

Titan
Moderator
Mar 16, 2013
144,465
8,648
175,340
22,536
Why on earth would they be required to keep personal information of their customers for extended periods of time? I assume you're referring to the Sarbanes–Oxley Act, which applies to financial records, not customer info...
Why would customer financial records not be "financial records"?

In any case, it happened here, it happens in Europe, it happens everywhere.
There is no law or regulation that can prevent malice...only punish after the fact.
 

bit_user

Splendid
Ambassador
I have had people attribute magical powers to the GDPR, and the earlier UK Data Protection Act.
Okay, but just so we're clear, that wasn't my intent. I was just referring to the data-retention aspect.

Why would customer financial records not be "financial records"?
sigh

SarbQx is about keeping financial records of the company, so that auditors can find evidence of fraud or embezzlement. They don't just blindly keep all data that is at all financial in nature. There's no way the company's auditors need to see millions of 15-year-old credit card & loan applications. Not even recent ones, because those are financial records about the customers - not the company.

Seriously, now you're starting to sound like that dude you were mocking.

There is no law or regulation that can prevent malice...only punish after the fact.
But you can mitigate the impact of such hacks.

And if there's less data to steal, it also makes theft less tempting, so fewer are likely to bother. I agree there's no magic bullet that can stop all hacks, but there are many small steps that can be taken to manage the problem.
 
Last edited:
Reactions: TJ Hooker

USAFRet

Titan
Moderator
Mar 16, 2013
144,465
8,648
175,340
22,536
Yes.
Reduce the amount of data, and you reduce the temptation.
Sadly, unless forced to, companies don't willingly destroy data like that.

And even weirder, this particular breach was seemingly not done for financial gain, but for the perp to get notoriety. "See what I did? That proves I'm a leet hacker, now gimme a job."
That worked out well for her.
 

bit_user

Splendid
Ambassador
And even weirder, this particular breach was seemingly not done for financial gain, but for the perp to get notoriety. "See what I did? That proves I'm a leet hacker, now gimme a job."
As far as we know. If she really just wanted to know if she could pull it off, then I don't see why she went to the trouble of transferring all of the data.

Maybe she did sell it, but wasn't caught in the act. I don't expect her to volunteer that information, if she did.

But I get your point - that she only got caught because she couldn't resist telling somebody, and probably didn't know anyone 1337 enough. I think it's basic human nature to want to brag about your accomplishments, and I've heard, in the news, of several other perpetrators of big hacks who've been caught in this same way, over the years.
 

ASK THE COMMUNITY