Cybersecurity Data Breach

Capital One Data Breach Affects 100 Million in U.S.; Cybercriminal Arrested

Capital One has announced that it has suffered a data breach affecting approximately 100 million individuals in the US and approximately 6 million in Canada.

The company determined that there had been unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for Capital One credit card products and to Capital One credit card customers. The U.S. Department of Justice has confirmed that Paige Thompson, a former Seattle technology company software engineer was arrested on July 29.

Paige Thompson had posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data. A GitHub user who had seen the post alerted Capital One to the possibility it had suffered a data theft. Thompson was identified by investigators and a search warrant was executed at Thompson’s residence. Electronic storage devices containing a copy of the data were seized. Computer fraud and abuse is punishable by up to five years in prison and a $250,000 fine.

“Capital One quickly alerted law enforcement to the data theft — allowing the FBI to trace the intrusion,” said U.S. Attorney Moran.  “I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.”

The misconfigured web application firewall that enabled access to the data has been confirmed as fixed by Capital One.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Chairman and CEO. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

The company does not believe any credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised. 

Information believed to have been compromised includes personal information collected at the time of applying for credit cards, such as, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Portions of credit card customer data, including customer status data, e.g., credit scores, credit limits, balances, payment history, contact information, and fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

Approximately 140,000 Social Security numbers of Capital One’s credit card customers and about 80,000 linked bank account numbers of the company’s secured credit card customers were compromised. Approximately 1 million Social Insurance Numbers were compromised from Capital One’s Canadian credit card customers.

Capital One has said it will notify affected individuals through a variety of channels. Free credit monitoring and identity protection will be made available to everyone affected.

Capital One has extended its thanks to the FBI’s Seattle Field Office and Special Agent Joel Martini, to U.S. Attorney Brian T. Moran, and to Assistant U.S. Attorneys Steven Masada and Andrew Friedman of the Western District of Washington for the speed with which they responded to this incident and apprehended the responsible party.