Capital One Data Breach Affects 106 Million People, Suspect Arrested
Capital One, the 10th largest bank in the United States, has suffered a massive data breach impacting 100 million people in the US and another 6 million in Canada. The exposed data includes sensitive financial information such as transaction data, credit scores, payment history and balances. In addition, the social security numbers and linked bank accounts of some people were exposed. According to a statement by the US Department of Justice, a Seattle resident named Paige Thompson has been arrested in connection with the breach.
Thompson “posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data.” A GitHub user notified Capital One about the post on July 17, after which Capital One launched an investigation. On July 19, the bank determined that in March of this year, “there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers.” The threat actor had taken advantage of a vulnerability in the bank’s systems. Capital One fixed the flaw and informed the FBI. Soon after, “cyber investigators were able to identify Thompson as the person who was posting about the data theft.” On Monday, “agents executed a search warrant at Thompson’s residence and seized electronic storage devices containing a copy of the data.”
Capital One stated that most of the compromised data affects consumers and small businesses who applied for a credit card product between 2005 and early 2019. The exposed data for these victims includes “names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.” In addition, the hacker obtained “credit scores, credit limits, balances, payment history, contact information” and “fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.” Finally, about 80,000 linked bank account numbers were compromised, as well as 140,000 Social Security numbers of US customers and 1 million SSNs of Canadian customers.