On July 29th, Capital One announced in a statement that personal information of over six million of its Canadian users has been exposed and jeopardized. The compromised data mostly belonged to consumers and small business and consisted of names, addresses, emails, phones numbers, as well as credit scores, balances, and limits.
The bank also announced that credit card numbers and login information were not compromised in the process, but that around one million of their user’s social insurance numbers (SIN) have been acquired by the hacker.
Capital One’s Response
The chairman and CEO of Capital One, Richard Fairbank apologized for the breach, stating that he is truly apologetic for what happened, although he is at the same time grateful that the culprit got caught.
Capital One stated that users that were influenced by the hacking will not be contacted individually. They did say that costumers will be notified through a variety of ways but didn’t specify in what ways exactly.
The alleged hacker, Paige A. Thompson, was arrested and charged for computer fraud and abuse on one count. During an FBI raid of her home files that contained the names of Capital One and other organizations were found. Thompson’s devices were also seized in the process.
Who Will Be Held Accountable?
It is highly unlikely that Capital One will face any serious consequences and major penalties concerning the breach unless a class-action lawsuit makes it to court.
In contrast to Europe and the United States, where companies face massive fines for misusing private data, Canada’s implementation of privacy laws is weak and unsustainable. In Canada, private citizens have the duty and responsibility to ask for rectification or compensation through civil lawsuits.
Experts claim the existing federal laws related to data breaches and the mishandling of data are not enforced enough and that they rely too much on the responsibilities of the individual.
The Personal Information Protection and Electronic Documents Act, also known as PIPEDA, is a Canadian data privacy law. It controls how organizations collect, use, and reveal personal information.
Yet, according to Peter Dalglish, most companies are not truly concerned about the main privacy legislation in the country, though most businesses do consider some forms of compliance important and follow them to a certain degree.
The Office of the Privacy Commissioner (OPC) has disclosed that they are investigating the incident. However, in the two previous serious data breaches, both of the companies involved did not face serious consequences in the country, avoiding fines and refusing to enforce OPC’s recommendations.
The fact that organizations rejected the Office of the Privacy Commissioner’s legal findings as bare opinions is indefensible and unjustifiable, but at the same time, the rejections showcase the weaknesses of Canada’s privacy protection system.
Many companies are not encouraged in any way to spend more money on security, even when incidents like this land them in the news and harm on their brand image.
So unless data privacy laws become stricter and strongly enforced, companies might not take any of these matters more seriously. Perhaps the best way to deal with this problem is a more reasonable system structure.