Important Notice: While our offices remain open, we ask that you please make an appointment given hybrid/remote work considerations. Thanks for your understanding and we look forward to seeing you.

Synex

Capital One Security Breach

The Breach

Last week, Canadians witnessed one of the largest security breaches in history. The Capital One data breach affected more than 100 million customers, including six million Canadians. 

Phone numbers, addresses, postal codes, personal financial information, and emails were compromised as a result—not to mention, one million Social Insurance numbers. 

“It’s scary to just know that they're not handling our information as they should. You hear about these breaches all the time, you think they would be stepping up their game.”  –Vanessa Torres, Affected Customer 

So, how did this all happen? Was it a sophisticated team of overseas hackers? Not quite. The attack was orchestrated by a single hacker who was able to find a weak spot in the security software. According to the New York Times, “it did not appear that the breach of the bank’s computer systems was particularly sophisticated.”

“Companies are simply under-resourced. They’re not devoting the resources required for strong security.” Ann Cavoukian—Executive Director of the Privacy by Design Centre For Excellency at Ryerson University

The Aftermath 

Within 24 hours of disclosing the breach, the inevitable happened. Capital One was hit with a proposed class-action lawsuit at a federal court in Washington. North of the border, a Quebec City law firm has also filed a class-action request on behalf of an affected customer. 

The request states that Simon Goulet, the plaintiff, is “greatly troubled and worried about the use that will be made of his personal information.”

It’s hard to predict what position the courts will take at this time, but regardless of whether they accept or reject the class action suits, the legal costs will be significant for both parties. In total, Capital One expects to spend between $100–150 million US on credit monitoring services, identity theft protection, communication efforts, tech costs, and legal support. The stock market wasn’t too excited about the news; the bank’s shares fell 5.9 percent, their largest decline since January. 

The Road Ahead

The Capital One breach raises some important questions across a variety of domains: cloud computing, security, privacy, cyber defence, and cyber preparedness. More could have been done to prevent the attack, explained John Dickson of the security consultancy Denim Group. However, from an insurance standpoint, Capital One was prepared, carrying a Cyber Insurance policy for $400 million in coverage (subject to a $10 million deductible). If the scope of the data breach doesn’t widen, Capital One will be covered. Undoubtedly, the breach will shake consumer confidence and their reputation for years to come, but they will still be in business, thanks to their insurance coverage. For small to midsize businesses, a single cyberattack is enough to collapse the organization. 

“According to the National Cyber Security Alliance, 60 percent of small and midsized businesses that are hacked go out of business within six months.” —Joe Galvin, Joe Galvin, Chief Research Officer at Vistage

The vast majority of cyberattack victims are small businesses, this is because they “often tend to lack sufficient security measures and trained personnel.” When hackers take advantage of this vulnerability, the aftermath is often devastating for business owners. Despite the bleak statistics, there is some good news: you’re not alone. 

Cybersecurity expertise and consultants are readily available. Palladium Insurance has partnerships with professionals that can assess your business, help create a cyber incident response plan and be there as a cyber coach should something happen.  

Furthermore, Palladium’s Cyber Liability insurance policy can start with a liability limit of $1 million; it provides sub-limits of insurance for business interruption, fines, penalties, legal costs, credit monitoring, and cyber coaching.  For just over $100 a month, small to medium-sized businesses will be ready to respond and recover from a cyberattack.