Personal details of 106 million Americans and Canadians stolen in huge Capital One data breach
A hacker has been arrested following a massive data breach at Capital One. The attacker -- Paige A Thompson, also known as "erratic" -- was able to access the credit applications of 100 million Americans and 6 million Canadians after exploiting a "configuration vulnerability".
In most cases, personal details such as name, date of birth, address and phone number were exposed by Thompson, but for tens of thousands of individuals, she also gained access to credit scores, Social Security numbers and account balances.
See also:
- Microsoft warns thousands that they are victims of state-sponsored hacking
- You need to update your Logitech wireless dongle to avoid falling victim to MouseJack hacking
- Ubuntu-maker Canonical's GitHub account hacked
Thompson was arrested on Monday, and charged with computer fraud dating back a few months, but Capital One has only just revealed details of the data breach. The company says that on July 19 it discovered that unauthorized access to data took place on March 22 and 23 this year.
Capital One issued a statement about the incident, saying that: "we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate".
The company went on to say:
Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.
Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:
- Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
- Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
No bank account numbers or Social Security numbers were compromised, other than:
- About 140,000 Social Security numbers of our credit card customers
- About 80,000 linked bank account numbers of our secured credit card customers
For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.
We will notify affected individuals through a variety of channels. We will make free credit monitoring and identity protection available to everyone affected.
Capital One says that although it encrypts its data, "due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data". The incident is predicted to cost the company between $100 and $150 million.
Image credit: Supannee_Hickman / Shutterstock