CapitalOne data breach

On 23 September 2019, CapitalOne announced that it had notified consumers of a data breach
that affected six million Canadians. In July, the company discovered that an attacker had gained
access to the personal information of consumers who had applied for a credit card between 2005
and early 2019.

Some consumers had cancelled their CapitalOne cards years before. Canadian law doesn’t have
specific timelines for Canadian companies to delete Canadians’ data. Canadians have the right to
ask companies what data they retain on them and can ask that the company delete it.
Many companies provide free credit monitoring services to their customers in the wake of
breaches affecting their data. Following the CapitalOne data breach, CapitalOne arranged for a
two year-subscription to myTrueIdentity through TransUnion for affected consumers.

Who watches the credit monitors?

On 9 October 2019, TransUnion admitted that attackers had fraudulently accessed its data
through a business login between June and July. The breach affected the data of approximately
37 000 Canadians.

Free credit monitoring was also provided following the Desjardins Group breach in March. The
Desjardins breach was the largest data breach amongst Canadian financial institutions. It affected
roughly 2.7 million people. Desjardins provided affected customers credit monitoring services

through Equifax. Equifax suffered a data breach resulting in the records of 147 million people,
including 19 000 Canadians, being stolen in 2017.

Data breaches amongst Canadian companies are becoming more numerous, and now both
agencies that monitor Canadians’ credit have been affected.

Using valid credentials in an attack

TransUnion says that data was stolen by a fraudulent login through one of its business accounts.
Attackers in the Equifax data breach also used valid credentials to steal data.
Using the valid credentials of a specific user or service is a known method for attackers to steal
data. This method often doesn’t require attackers to install malware, which may make them
harder to detect.

Attacks against credit monitoring agencies are particularly worrying. Consumers often do not
give their consent to have their data shared with credit monitoring agencies, and these agencies
often hold a large amount of data on consumers.