• A hacker stole personal information of Capital One’s customers, affecting 106 million individuals in the United States and Canada.
  • Stolen data includes personal information, customer status data, social security numbers, linked bank account numbers, and more.
  • The person responsible for this data breach is Paige Thompson (33), now facing charges punishable by up to 5 years in prison and a $250,000 fine.

Capital One has publicly revealed a data breach affecting 106 million individuals, exposing their personal data to third parties. A hacker managed to retrieve personal information of individuals from the United States and Canada, who applied for this bank’s credit card products. The FBI was involved in this investigation, and the person responsible for this data is already in custody.

This data breach was first reported to Capital One on July 17, 2019. An ethical hacker found a vulnerability in a misconfigured Web application firewall that allowed third parties to obtain personal information of this bank’s clients. Upon further investigation of whether this vulnerability had been used in the past, an instance of unauthored access was detected, happening between March 22 and 23, 2019. Based on current analysis, the event affected 100 million individuals in the United States and approximately 6 million in Canada.

No credit card numbers or log-in credentials were stolen, and over 99 percent of social security numbers were not compromised. Still, a wide range of personal information was accessed. As per Capital One’s press release, the following types of data were stolen:

  • Personal information: Names, addressed, zip codes, phone numbers, email addresses, date of birth, and self-reported income.
  • Customer status data: Credit scores, credit limits, balances, payment history, and contact information.
  • Fragments of transaction data from a total of 23 days during 2016, 2017, and 2018.
  • Around 140,000 Social Security Numbers of Capital One’s credit card customers in the US. Approximately 1 million Social Insurance Numbers of the bank’s Canadian customers.
  • Around 80,000 linked bank account numbers of Capital One’s secured credit card customers.

According to a press release by the Department of Justice, a person responsible for this data breached was identified and then arrested by the FBI. Named Paige Thompson (33), one of the first clues about this person appeared on GitHub. She had posted a comment on this website about her access to Capital One’s data. Thompson was one of the organizers of a Meetup group called the Seattle Warez Kiddies, as reported by the New York Times. Even though she used an alias online, the FBI managed to match her alias to a number of online accounts (including Twitter and Slack). Upon executing a search warrant at Thompson’s residence, electronic storage devices containing a copy of the data had been discovered. The hacker is now in custody, facing ‘computer fraud and abuse’ charges – punishable by up to five years in prison and a $250,000 fine. You can find the full DOJ complaint online, with additional details of the investigation.

Capital One is currently in the process of contacting individuals affected by this breach, and the bank will be providing free credit monitoring services. However, if you’re a Capital One customer, it’s recommended to monitor your credit card report for any suspicious activity. In case you detect anything strange, don’t hesitate to report the problem to the police, Capital One, and your credit agency.

Finally, Capital One estimates that the costs of this data breach will be from $100 to $150 million in 2019. These will be mostly driven by customer notifications, credit monitoring, technology costs, and legal support. Even though these costs might sound like bad news for Capital One, the bank says that it has cyber-security insurance covering up to $400 million with a $10 million deductible.

Were you affected by this breach or any similar breach of personal information? Make sure to let us know in the comments section below, and don’t forget to follow us via our social media profiles, on Facebook and Twitter. Thanks!