Capital One Financial announced on July 29 that a hacker obtained the personal information of approximately 100 million individuals in the United States and approximately six million individuals in Canada.

In comparison, the data breach of credit-reporting agency Equifax—the largest-ever breach of consumer data—impacted approximately 143 million U.S. consumers. In a statement announcing the data breach, Capital One said “on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.”

On the same day that Capital One announced the data breach, the Department of Justice announced the arrest of a former Seattle technology company software engineer, Paige Thompson, in connection with the data breach. Thompson made her initial appearance in U.S. District Court in Seattle on July 29. A hearing is scheduled for Aug. 1.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Capital One Chairman and CEO Richard Fairbank. “I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.”

According to the criminal complaint, Thompson posted on the information-sharing site GitHub about her theft of information from the servers storing Capital One data. The intrusion occurred through a misconfigured Web application firewall that enabled access to the data.

On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19 that there had been an intrusion into its data, Capital One contacted the FBI. “Capital One quickly alerted law enforcement to the data theft, allowing the FBI to trace the intrusion,” said U.S. Attorney Brian Moran.

In addition to contacting the FBI, Capital One said it also “immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.”

Data accessed

According to Capital One, no credit card account numbers or log-in credentials were compromised, and over 99 percent of Social Security Numbers were not compromised. “The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” Capital One said.

This information included personal information that Capital One said it routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, e-mail addresses, dates of birth, and self-reported income.

Beyond the credit card application data, the individual also obtained portions of credit card customer data, including customer status data (e.g., credit scores, credit limits, balances, payment history, and contact information) and fragments of transaction data from a total of 23 days during 2016, 2017, and 2018.

Capital One downplayed the number of Social Security numbers that were compromised, stating that “no bank account numbers or Social Security numbers were compromised, other than (emphasis added) “about 140,000 Social Security numbers of our credit-card customers,” and “about 80,000 linked bank account numbers of our secured credit-card customers. For our Canadian credit-card customers, approximately one million Social Insurance Numbers were compromised in this incident.”

As part of its remediation efforts, Capital One said it “will notify affected individuals through a variety of channels. We will make free credit monitoring and identity protection available to everyone affected.”

“Safeguarding applicant and customer information is essential to our mission and our role as a financial institution,” the company said. “We have invested heavily in cyber-security and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber-defenses.”

The investigation into the data breach remains ongoing.