Not Your Grandparents' AT&T
TJX Settles With New England Banks

Capital One: What's In Your Database?

This is news I really didn't want to read just before the Christmas holiday.

In the TechRepublic Programming and Development blog, Justin James recently reported on some pretty scary stuff about Capital One Bank. This caught my eye since I am also a customer:

"A few weeks ago, I received a paper bill from Capitol One instead of the usual e-mail notifying me that my statement was posted online. When I went to pay my bill, I didn’t notice anything unusual — although, in retrospect, I should have. I paid my bill a few days before the due date and went on my merry way. This Saturday (after the due date), I received a letter in the mail informing me that my payment was rejected due to an invalid bank account number used for payment. Huh? My checking account has not changed in well over five years."

Apparently, Capital One's database had become corrupted. Capital One was trying to use an obsolete and 5-year-old checking account number Justin had closed long ago. That Capital One was using this obsolete checking account number when he knew the company had his current checking account number, was a clear signal that Capital One's database was severely corrupted... and that the company was unable to restore the database properly from any backup files. Not good. Not good at all.

Justin's blog post was quite unsettling as I haven't heard anything about this in the news. As Justin wrote:

"Data corruption is the silent killer of databases and the source (and often the result of) security breaches, system failures, and programming mistakes. I hit the panic button, big time."

If this database corruption is due to a data breach, I expect Capital One to have notified me promptly. I live in a state where breach notification is mandatory. So far, I haven't received any notices from Capital One. Justin has summarized well Capital One's poor customer service:

"Capitol One committed more than one of the top 10 “thou shall not’s” in IT with this incident.

  • It allowed data to be severely corrupted.
  • It deployed code without an appropriate rollback or back-up plan or path.
  • It did not notify its customers despite that the mistake is costing its customers to have late payments, resulting in fees and credit history problems if uncorrected.
  • It did not properly prepare the customer service team to handle the situation.
  • It allowed the user to see that data had been corrupted, which has destroyed all trust in the system."

I visited Capital One's web site to see what database corruption notices were posted. The Press Releases site section didn't contain any database corruption notices. Neither did the site's Online Protection or Fraud site sections contain any database corruption notices.


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.