Capital One Financial has joined the growing list of major U.S. financial companies to fall victim to a hack, revealing the data breach impacted about 100 million credit card customers in the U.S. and six million more in Canada.
In a press release alerting the world to the breach, Capital One said the hacker accessed credit card application information on consumers and small businesses dating back to 2005. The information included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income. Credit scores, credit limits, balances and payment history were also disclosed in the breach.
The credit card issuer said around 140,000 Social Security numbers of credit card customers and around 80,000 linked bank account numbers of secured credit card customers were exposed. In Canada, about 1 million Social Insurance Numbers were compromised in the hack.
FBI Arrested Seattle Woman for the Data Breach
Earlier this week the Federal Bureau of Investigations arrested 33-year old Paige Thompson of Seattle, Washington for being behind the hack of Capital One. The software engineer bragged about the breach on GitHub, which led to her arrest. According to the complaint, Thompson is a former Amazon Web Services software engineer, which Capital One used for cloud computing services.
The intrusion occurred through a misconfigured web application firewall, the U.S. State’s Attorney Office for the Western District of Washinton said in a press release. On 17 July a GitHub user alerted Capital One to the possible intrusion. After determining the credit card company was indeed hacked on 19 July, it reached out to the FBI. The AG said computer fraud and abuse is punishable by up to five years in prison and a $250,000 fine.
Capital One's CEO Issues an Apology
Capital One said that once it learned of the security hole it “immediately” fixed the configuration vulnerability that Thompson exploited to get into the network. The company confirmed Thompson was arrested. It said it doesn’t think the information obtained was used for fraud or was shared with others.
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Richard D. Fairbank, Chairman, and CEO said in the press release. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right." The company is offering affected customers two years of free credit monitoring.
Capital One is the Latest in Growing List of Breaches
Capital One is just the latest major financial firm to suffer a data breach that exposes the private information of millions. In 2017 credit scoring company Equifax was hacked, exposing the data on 147 million people. Last year Facebook revealed Cambridge Analytica, the now-defunct political consulting company, accessed the data on 87 million users without their consent.
The laundry list of data breaches has led regulators and lawmakers to investigate, with some calling on the company executives to be held accountable when the privacy of their customers are put at risk. Facebook earlier in July agreed to pay the Federal Trade Commission a $5 billion fine as a result of the Cambridge Analytica scandal.