TORONTO — This week’s massive Capital One data breach is the latest in a string of cyberattacks that experts say are becoming larger and more frequent, as corporations hold more personal data in online repositories that are a treasure trove for hackers.
“There’s definitely a rise in personal data theft, there’s a rise in data breaches,” said Claudiu Popa, a cybersecurity expert with Datarisk Canada.
The Capital One breach exposed the data of about six million Canadians, including about a million social insurance numbers. The company says it will start to notify affected Canadians next week either by letter or email.
The incident also exposed the data of roughly 100 million U.S. clients, including about 140,000 Social Security numbers and 80,000 linked bank account numbers.
In addition to credit card application data such as phone numbers, email addresses, dates of birth and self-reported income, the hacker was also able to access credit scores, credit limits and balances, as well as fragments of transaction information from a total of 23 days in 2016, 2017 and 2018.
The breach comes about a month after Desjardins Group said personal information from more than 2.9 million of its members was stolen, while major data breaches from Equifax, Marriott Hotels, Uber and other companies have exposed consumer data in the past few years alone.
A recent IBM study found that companies globally have a 30 per cent chance of experiencing a data breach within two years, up from 23 per cent in 2014.
Part of what’s making these breaches more common is that companies are collecting so much more information and thinking up new ways to make use of it, said Popa.
“It’s almost harder for us to anticipate what legitimate businesses are going to think up doing with the information that, for the most part, they over-collect, rather than for us to keep ahead of criminals.”
The trend to over-collect and hoard data should prompt customers to ask questions including how soon they will dispose of data, said Popa, given that the Capital One breach included credit card applications going as far back as 2005.
Customers should remember they can influence company policies, even if the hacks start to feel inevitable, he said.
The apparent inevitability of such attacks has, perhaps ironically, also made some consumers more blase.
“Unfortunately many people are jaded and desensitized because of the prevalence of all these attacks. It seems like it’s happening on a weekly basis, it seems like they are powerless to prevent them,” Popa said.
Data hacks and cybercrime, however, shouldn’t just be accepted, said Daniel Tobok, chief executive of Cytelligence Inc.
“It’s happening more and more, but it doesn’t mean it should be normalized or we should get used to it as just another day at the office. This is a problem.”
He said part of the problem is that Canadian regulations lack teeth and present limited options to fine companies, while jurisdictional issues make it hard to track and prosecute the thieves.
Another issue is that the thefts can be quite profitable, said Tobok.
“The real reason why there’s more and more breaches is because it’s extremely lucrative for the cybercriminals.”
The rise in data hacks has coincided with a rise in cybercrimes reported to police. Cyber-related fraud, for example, climbed from 7,332 incidents in 2014 to 16,422 last year according to Statistics Canada.
Companies need to be pressured to more proactively protect data through encryption and investigations, as too few are making the proper investments, he said.
“There’s still a feeling of it’s not going to happen to us,” said Tobok.
Criminals are also staying steps ahead of attempts to safeguard databases, said Iman Sharafaldin, a researcher at the Canadian Institute for Cybersecurity.
He said powerful automated tools and more access to information make it harder to stop breaches.
“Nowadays you can learn hacking stuff by searching YouTube videos.”
Given the challenges of safeguarding data, experts recommend that customers should think carefully before handing over any information to companies.
In the Capital One breach, for example, social insurance numbers from a million Canadians were stolen — even though the number isn’t required in a credit card application.