Capital One Financial Corporation announced today that ten days ago it determined that an unauthorized party, who has since been arrested, illegally accessed personal information about the credit card giant’s customers and credit card applicants.
Perhaps most notable about the announcement (screenshot below) when compared with other breach notification statements, however, were three lines appearing about three-quarters of the way through the overview of the breach that Capital One posted on its website:
No bank account numbers or Social Security numbers were compromised, other than:
About 140,000 Social Security numbers of our credit card customers
About 80,000 linked bank account numbers of our secured credit card customers
In New York, we would call such a statement pure chutzpah.
I don’t know if Capital One engaged public relations experts, lawyers, crisis management experts, and other professionals to carefully review and fine tune its breach notification statement – but major corporations commonly do. But, statements resembling “Nothing serious happened other than everything serious that happened” do not instill confidence, and should not become the new normal of breach notifications.