Capital One announced a data breach involving personal data of 100 million American and 6 million Canadian customers. The breach exposed a large amount of customer data, including names, addresses, phone numbers, payment histories, etc.
The company discovered the breach after a security researcher disclosed a vulnerability. An internal investigation was performed, and it was discovered that someone had gained unauthorized access to the systems and customer data between March 22 and 23. It is believed that the breach was possible because of a misconfigured web application firewall, which allowed access to the data. The vulnerability has since been fixed, and Capital One believes that the accessed information has not been used for fraud and has not been disseminated.
“On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers. This occurred on March 22 and 23, 2019”, Capital One said in a statement.
The data that the attacker was able to access is extensive and includes names, addresses, zip/postal codes, phone numbers, email addresses, dates of birth, reported income, credit scores, balance, payment history, and fragments of transaction data. Despite the fact that Capital One says no credit card account numbers or login credentials were stolen, about 140,000 Social Security numbers and 80,000 bank account numbers were compromised. Around 1 million Canadian Social Insurance Numbers were also compromised. The investigation is still ongoing.
100 million American and 6 million Canadian people were affected in the breach. Each user will be notified by email and will receive free credit monitoring services. Affected users are also advised to monitor their credit reports closely, and any suspicious activity should be reported to Capital One and law enforcement.
Capital One breach suspect arrested
A suspect has been arrested after the FBI were informed of the incident. Paige Thompson, former Seattle technology company software engineer, was arrested on suspicion of carrying out the hack. According to United States Department of Justice, Thompson shared information relating to the hack on GitHub, and the post was seen by a user who reported the potential hack to Capital One. After performing an investigation and discovering the breach, the company immediately contacted the FBI. Thomson was identified as a potential suspect soon after. Copies of the data were seized during a search of her residence.
“Cyber investigators were able to identify THOMPSON as the person who was posting about the data theft. This morning agents executed a search warrant at THOMPSON’s residence and seized electronic storage devices containing a copy of the data”, the statement from U.S Attorney’s Office reads.
Reportedly, Thompson posted on GitHub using her own name and had hinted at having Capital One information on social media.
The company says it is unlikely that the data was used for fraud, but affected customers should still keep a close eye on their credit reports.
It is also believed that the incident will generate incremental costs of around $100 to $150 million. The company says “costs are largely driven by customer notifications, credit monitoring, technology costs, and legal support”.