The Capital One breach announced recently compromised the data of 100 million Americans, which is nearly 40 percent of all U.S. adults. After the Equifax, Target, Home Depot, and Marriott hacks, it can be easy to shrug off the news of another leak, but one group of consumers is at particular risk in the Capital One breach: 80,000 Americans who applied for secured credit cards with the company.
The hacker, Paige Thompson, gained access to personal information such as income, address, and credit scores for seemingly all recent applicants to Capital One credit cards. For secured card applicants, who tend to be low-income, bank account information was compromised as well.
A secured card normally resembles other subprime credit cards — they still report to the credit bureaus, they still charge interest and late fees, and you can still default on the card if you don’t make your payments. But borrowers need to put down a security deposit in order to obtain one, which requires access to the borrower’s bank account information.
Get Talk Poverty In Your Inbox
The fact that bank account credentials were compromised raises the stakes for those consumers: even compared to credit card fraud, resolving checking account fraud is no walk in the park, and the costs here will be borne by people who can’t afford to take a hit.
For consumers who don’t think they can get approved for a normal credit card, secured cards can be appealing. And who are those consumers? They don’t have a lot of money: Federal Reserve Bank of Philadelphia researcher Larry Santucci has found that the median income of secured card customers is $35,000, compared to $50,000 for Americans with unsecured credit cards.
Of course, given that these incomes are self-reported, and that credit card companies aren’t required to validate the income of all credit card applicants, this income data is almost certainly overstated: Plenty of people know they can get declined for a credit card for being too poor.
I worked at Capital One for five years, from 2013 to 2018. For a short stint during that time, I was in charge of the secured card product. I know most secured card customers are in no position to absorb a financial shock — and, unfortunately, having your checking account data leaked puts you in a much more dangerous position than a simple breach of your credit card number, or even your Social Security number.
If you apply for a Capital One secured card and get approved, you’ll initially be assigned a $200 credit limit, contingent on you sending in a security deposit of either $49, $99, or $200. The minimum security deposit you have to make depends on your risk as an applicant.
Think about that for a second: People are putting down a $200 deposit, to get a $200 credit limit, and the product makes money because people then borrow against their own deposit at a 26.99 percent interest rate — one of the highest in the industry — and get hit with late fees up to $39 when they fail to make payments on time. Santucci has found that only one in four secured card customers pays their credit card bill in full every month.
Some secured card customers are “new-to-credit,” but major banks such as Bank of America, Wells Fargo, and Discover have all been known to give out credit cards, at least with small credit limits, to people without credit history. If you’re new-to-credit but you have a checking account, and you also realize that your odds of being approved for an unsecured credit card are pretty high if you walk into a branch of your bank (of course, not everyone realizes this), you’re not likely to find a secured card attractive.
More commonly, secured card customers have low credit scores – the typical customer’s FICO is in the 500s — an obvious indication that they’ve struggled in the past to pay bills and to make ends meet. This condition can be temporary —your credit score might still be low even though your finances have recovered, since missed payments lower your credit score for seven years — but many Americans who struggle financially never achieve the stability they’d need to keep a high credit score. In a country where plenty of people live paycheck-to-paycheck, but only a third have subprime credit scores, secured card holders and applicants tend to be under real financial distress.
Because secured card applicants have to put down a security deposit, they’re not approved until they give Capital One checking or savings account information and their deposit is sent, unlike users of unsecured cards. This is what puts Capital One’s secured card holders at greatest risk after the breach.
To see why, it’s helpful to take a second to think about the exact ways in which a data breach comes back to bite consumers — especially given that you’re usually not on the hook for purchases fraudulently made in your name, whether someone has stolen your credit or debit card, or opened up an account using your identity.
Lose your credit card number, as in the Target or Home Depot breach, and you can usually resolve things with quick phone call to your bank if a fraudster makes purchases on your card. Lose your Social Security number and address, like in the Equifax breach, and someone can open up new accounts in your name, or take over your existing accounts by calling the bank, pretending to be you, and changing the contact information. Proving someone else did this can be anywhere from moderately to extremely time-consuming depending on your circumstances: it took reporter Phil McKenna a few days to clear things up, a typical amount of time for garden-variety identity theft, where you’re usually out time but not money.
But let’s consider what it will look like if someone uses the checking account information from a Capital One secured card customer to commit ACH (Automated Clearing House) fraud – using the customer’s checking account routing numbers and account numbers to set up unauthorized withdrawals, write counterfeit checks, or even pay off the fraudster’s own credit card.
If you’re a Capital One secured card customer, your checking account could be emptied. If you don’t notice what happened, you might try to make purchases and get hit with overdraft fees expecting money to be available that’s gone. Odds are very high you’re living paycheck to paycheck. Your Capital One secured card may have a limit as low as $200, and, across the industry, the typical secured card customer has only one credit card. If that happens, how are you supposed to buy groceries, bus fare, or diapers?
What’s known as Regulation E requires the bank credit your account within 10 days of when you notify them about fraud, unless further investigation is needed: a Capital One spokesperson told me they try to resolve most cases well under that limit, and said they refund any overdraft fees they determined occurred because of the fraud, whether it was the fraudulent transaction or a subsequent legitimate transaction took the account to a below $0 balance.
Everything depends on how quickly the customer notices something was wrong, how comfortable she is advocating for herself, and how equipped she is to go up to 10 days with nothing in the bank. Nearly 40 percent of Americans couldn’t cover a $400 emergency expense without borrowing money, even without having their checking account drained unexpectedly by fraud, and the typical secured card customer has no other credit cards.
Now, it’s completely possible that no actual fraud will occur as a result of the Capital One breach: in a statement, Capital One said that, based on the analysis they’ve done so far, they consider it “unlikely that the information was used for fraud or disseminated by this individual.” If they’re wrong, the consequences for secured card customers will be severe.
In this moment of crisis, it’s worth taking a step back to ask a broader question: are secured cards more helpful or more harmful to the low-credit score consumers they’re designed to serve? These products are often touted as a way to help people improve their credit scores, but there is weak evidence that they work for the typical customer. Santucci’s research shows that the median customer with a secured card sees only a 11-point increase in their FICO after two years, a number that’s dragged down by the 20 percent of customers who close or default on their cards within 24 months. 11 points is not a particularly impressive increase, especially given that if you wait and do nothing other than paying any existing bills on time, your low credit score typically goes up on its own as negative information on your credit report ages off.
Banks can tout that secured cards are free for customers who pay their bills in full every month, but the three-quarters of customers who carry a revolving balance are paying a high price for the privilege of borrowing against their own money, and would arguably be better off using their security deposit as an emergency fund. I’m sympathetic to what can feel like a double-bind to the banks: given that you need to charge higher prices to low-income customers to break even, is it better to be accused of ignoring them, or is better to be accused of exploiting them? If companies like Capital One can’t find better ways of serving low-income Americans, it won’t just be a breach of data: it will a breach of trust.