100 million customers personal data exposed in Capital One data breach
Capital One, the Virginia-based bank with a popular credit card business, on Monday, announced that a hacker gained access to more than 100 million of its customer accounts and credit card applications resulting in a massive data breach.
According to the company and the U.S. Department of Justice, the comprised data includes 140,000 Social Security numbers, 80,000 bank account numbers, in addition to the tens of millions of credit card applications stolen. The breach also compromised one million Canadian social insurance numbers — the equivalent of Social Security numbers for Americans, the company said.
The information collected for credit card applications came from consumers and small businesses submitted from 2005 through early 2019. The company stressed that it believes no credit card account numbers or log-in credentials were compromised. It also added that over 99 percent of Social Security numbers were not compromised.
The company plans to give free credit monitoring services to those affected.
“Based on our analysis to date,” the bank said in a statement, “we believe it is unlikely that the information was used for fraud or disseminated by this individual.” However, the company is still investigating.
The data breach, which took place between March 12 and July 17, came to light only after the suspect, Paige A. Thompson, 33, a former Seattle technology company software engineer who also goes by the handle “erratic”, left a trail online for investigators to follow as she boasted about the hacking.
She allegedly “posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data,” using her own name on April 21, states the court documents in Seattle from where she was arrested.
Thompson was reportedly able to gain access to the sensitive data through a “misconfiguration” of a firewall on a web application. It allowed her to communicate with the server where Capital One was storing its information and, finally, obtain customer files.
On July 17, a Twitter user who saw Thompson’s post on GitHub emailed Capital One notifying that the company’s data has been stolen and leaked online.
Two days later, on July 19, Capital One confirmed the vulnerability in its system that a hacker had indeed obtained “certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers”. The company then informed the FBI.
According to the FBI complaint, a month before a Twitter user who went by “erratic” sent Capital One direct messages warning about giving out bank’s data, including names, birthdates, and Social Security numbers. That user later reported the message to Capital One.
“Ive basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting it,” one said. “I wanna distribute those buckets i think first.”
“Capital One quickly alerted law enforcement to the data theft — allowing the FBI to trace the intrusion,” said U.S. Attorney Moran. “I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.”
The FBI executed a search warrant at Thompson’s home on Monday morning and seized storage devices that contained a copy of the data.
Thompson made a court appearance on Monday and was ordered detained until a hearing on Thursday. She was charged with one count of computer fraud and abuse in U.S. District Court in Seattle, and could face up to 5 years in prison and a $250,000 fine.
Capital One’s CEO said they were glad the hacker has been caught, but are “deeply sorry for what has happened.”
“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right,” CEO Richard D. Fairbank said in a statement.
The company said it expects the breach to cost them up to $150 million, including paying for credit monitoring for affected customers.
The bank also said it expected that the breach would cost it up to $150 million, including paying for credit monitoring for affected customers.