Capital One has announced a data breach that has exposed the personal information of 106 million people that includes transaction data, credit scores, payment history, balances, and for some, linked bank accounts and social security numbers.
The data breach was discovered when an ethical hacker responsibly disclosed the vulnerability to Capital One on July 17th, 2019. After performing an internal investigation of whether this vulnerability had been used in the past, Capital One discovered that an unauthorized used had access to their systems and customer data between March 22nd and 23rd of 2019
"On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers", Capital One stated in a data
security incident notice. "This occurred on March 22 and 23, 2019."
Their investigation discovered that the unauthorized user was able to access the information for 100 million people in the United States and 6 million people in Canada. After fixing the vulnerability used in the breach, they provided information to the FBI who arrested the suspected hacker.
While no credit card account numbers or login credentials were accessed, a wide range of other information was accessed.
"The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:
• Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
• Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
No bank account numbers or Social Security numbers were compromised, other than:
• About 140,000 Social Security numbers of our credit card customers
• About 80,000 linked bank account numbers of our secured credit card customers
For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident."
Capital One will be notifying each user who was affected by email and will be providing free credit monitoring service.
Due to the amount of personal information that was exposed and how it can be used for identity theft, it is strongly advised that users monitor their credit reports for suspicious activity and immediately report anything detected to both the police, Capital One, and the credit agencies.
It is also strongly suggested that you freeze your credit report if you were affected to make it more difficult for bad actors to fraudulently take out credit in your name.
Suspect arrested by FBIA Seattle person named Paige Thompson was arrested by the FBI in connection to the hack of Capital One's systems.
A press release by the Department of Justice states that a security researcher became suspicious after Thompson allegedly posted a comment on GitHub about her accessing Capital One's data and reported it to Capital One.
"According to the criminal complaint, THOMPSON posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data," the DOJ announcement stated. "The intrusion occurred through a misconfigured web application firewall that enabled access to the data. On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI. Cyber investigators were able to identify THOMPSON as the person who was posting about the data theft. This morning agents executed a search warrant at THOMPSON’s residence and seized electronic storage devices containing a copy of the data. "
According to the
New York Times, Thompson was the organizer of a Meetup group called the
Seattle Warez Kiddies that was for anybody "with an appreciation for distributed systems, programming, hacking, cracking, scripting, electronics, Linux, etc. "
Investigators stated that she went by the online alias “erratic" and law enforcement was able to verify her identity after she posted an image of a veterinarian invoice.
The full DOJ complaint can be read
here.
Capital One reassures investorsAfter seeing what large data breach announcements have done to the stock prices for other companies, Capital One is using the security incident notice to allay the fears of their investors.
According to Capital One, this incident is expected to generate costs of approximately $100 to $150 million in 2019 due to customer notifications, free credit monitoring services, security improvement costs, and legal fees.
"We expect the incident to generate incremental costs of approximately $100 to $150 million in 2019. Expected costs are largely driven by customer notifications, credit monitoring, technology costs, and legal support. We expect to accrue the costs for customer notification and credit monitoring in 2019. The expected incremental costs related to the incident will be separately reported as an adjusting item as it relates to the Company's financial results. "
Even with these increased costs, Capital One states that they have cybersecurity insurance that will cover up to $400 million with a $10 million deductible.
With this said they are trying to reassure investors that this breach will not have much effect on their bottom line and are "affirming its existing efficiency guidance, which in all cases is net of adjustments."
Updated 7/29/19: Added information about an alleged suspect.
source
