Skip to main content

(Updated) Capital One Data Breach Affects 100 Million Americans

(Image credit: David Cardinez/Shutterstock)

Updated, 7/31/19, 5:45am PT: The U.S. Department of Justice announced that it has arrested Paige Thompson, who reportedly worked at Amazon Web Services in Seattle, for hacking into Capital One's servers. Thompson was charged with computer fraud and abuse, which the Justice Department said carries a maximum punishment of five years in prison and a $250,000 fine. She "was ordered detained pending a hearing on August 1" after the FBI searched her apartment and found evidence linking her to the Capital One data breach.

The Justice Department alleged that Thompson openly discussed the Capital One hack on GitHub, Twitter, and Slack using the "erratic" alias. Thompson was also accused of stealing--or at least attempting to steal--information from several other unidentified companies. Her comments across various social platforms then indicated that she planned to publicly share the stolen data, according to the complaint, although it's not clear if she managed to share more than a few of the stolen files before she was arrested on July 29.

Original article, 7/30/19, 8:22am PT:

Capital One revealed on Monday that a data breach compromised the personal information of roughly 100 million people in the U.S. and 6 million people in Canada. The company said that credit information, transaction history, Social Security Numbers, bank account numbers and Social Insurance Numbers were all compromised as part of the "unauthorized access by an outside individual" on July 18.

Who's Affected? 

Most of the compromised information came from consumers and small businesses that applied for a credit card between 2005 and 2019. Capital One said these applications collected "names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income." This was reportedly the "largest category of information accessed" during the data breach earlier this month.

But the breach didn't affect every individual equally. Capital One said the person who accessed its systems earlier this month only managed to steal the Social Security Numbers of 140,000 of its credit card customers, the bank account numbers of 80,000 people who linked their credit cards to their bank accounts and the Social Insurance Numbers of roughly 1 million of its customers in the Great White North.

More people had their "credit scores, credit limits, balances, payment history, contact information" and other customer status data compromised. Capital One said the breach also exposed "fragments of transaction data from a total of 23 days during 2016, 2017 and 2018." But that was still just a subset of the stolen information; most of the data reportedly came from the credit applications.

Capital One's Response

Capital One said it's already responded to the breach:

"Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible and that person is in custody. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate," the firm said in a statement.

Capital One said it will contact affected customers and offer free credit monitoring and identity protection services. We're interested in learning how long it plans to offer those services free of charge, especially since it doesn't think the stolen information was shared.

Just don't think this is the end of the breach's aftermath--similar breaches at the likes of Equifax took years to reach a partial resolution.

  • bit_user
    Most of the compromised information came from consumers and small businesses that applied for a credit card between 2005 and 2019.
    These guys should have to answer for why they need to keep information from 14-year-old credit card applications! Especially if you didn't even get the load or credit card, why on earth do they still need that information? There's no good reason - they're just data hoarders.

    This wouldn't happen if the US had GDPR.
    Reply
  • USAFRet
    bit_user said:
    This wouldn't happen if the US had GDPR.
    About that...

    Spain, 2018:
    https://www.theinquirer.net/inquirer/news/3035980/telefonica-breach-exposes-personal-data-of-millions-of-customers
    Germany, 2019:
    https://www.theguardian.com/world/2019/jan/08/germany-data-breach-man-held-in-suspected-hacking-case
    France, 2017:
    https://www.tripwire.com/state-of-security/security-data-protection/french-company-incurs-e250k-fine-for-data-leak/

    EU wide:
    "Over 59,000 personal data breaches reported across Europe since introduction of GDPR, according to DLA Piper survey"
    https://www.dlapiper.com/en/uk/news/2019/02/dla-piper-gdpr-data-breach-survey/
    Reply
  • bit_user
    USAFRet said:
    EU wide:
    "Over 59,000 personal data breaches reported across Europe since introduction of GDPR, according to DLA Piper survey"
    https://www.dlapiper.com/en/uk/news/2019/02/dla-piper-gdpr-data-breach-survey/
    Sorry, I didn't actually mean that data breach wouldn't have happened, just that the impact would've been far smaller if they didn't hold onto that data for so long, with no apparent purpose or business necessity.

    Apologies for my sloppy wording, but thanks your contributions, nonetheless.
    Reply
  • USAFRet
    bit_user said:
    Sorry, I didn't actually mean that data breach wouldn't have happened, just that the impact would've been far smaller if they didn't hold onto that data for so long, with no apparent purpose or business necessity.

    Apologies for my sloppy wording, but thanks your contributions, nonetheless.
    I have had people attribute magical powers to the GDPR, and the earlier UK Data Protection Act.

    Just last week, the instructor of a class I was in (Cybersecurity):
    "A European website can't collect any data on you. No personal info at all."

    I countered with:
    'Yes they can, if they have a need and they inform you of it"

    Him:
    "NO! They can't, at all."

    'So if I buy something from a German website, how do they know where to ship it to, and how do they get my money?'

    He then just quickly moved on to the next topic.


    And here, there IS a requirement to retain records like that for X years.
    The aftermath of the Enron scandal, financial companies are required, by law, to retain records like that for some number of years.
    Reply
  • TJ Hooker
    USAFRet said:
    And here, there IS a requirement to retain records like that for X years.
    The aftermath of the Enron scandal, financial companies are required, by law, to retain records like that for some number of years.
    Why on earth would they be required to keep personal information of their customers for extended periods of time? I assume you're referring to the Sarbanes–Oxley Act, which applies to financial records, not customer info...
    Reply
  • USAFRet
    TJ Hooker said:
    Why on earth would they be required to keep personal information of their customers for extended periods of time? I assume you're referring to the Sarbanes–Oxley Act, which applies to financial records, not customer info...
    Why would customer financial records not be "financial records"?

    In any case, it happened here, it happens in Europe, it happens everywhere.
    There is no law or regulation that can prevent malice...only punish after the fact.
    Reply
  • bit_user
    USAFRet said:
    I have had people attribute magical powers to the GDPR, and the earlier UK Data Protection Act.
    Okay, but just so we're clear, that wasn't my intent. I was just referring to the data-retention aspect.

    USAFRet said:
    Why would customer financial records not be "financial records"?
    sigh
    SarbQx is about keeping financial records of the company, so that auditors can find evidence of fraud or embezzlement. They don't just blindly keep all data that is at all financial in nature. There's no way the company's auditors need to see millions of 15-year-old credit card & loan applications. Not even recent ones, because those are financial records about the customers - not the company.

    Seriously, now you're starting to sound like that dude you were mocking.

    USAFRet said:
    There is no law or regulation that can prevent malice...only punish after the fact.
    But you can mitigate the impact of such hacks.

    And if there's less data to steal, it also makes theft less tempting, so fewer are likely to bother. I agree there's no magic bullet that can stop all hacks, but there are many small steps that can be taken to manage the problem.
    Reply
  • USAFRet
    Yes.
    Reduce the amount of data, and you reduce the temptation.
    Sadly, unless forced to, companies don't willingly destroy data like that.

    And even weirder, this particular breach was seemingly not done for financial gain, but for the perp to get notoriety. "See what I did? That proves I'm a leet hacker, now gimme a job."
    That worked out well for her.
    Reply
  • bit_user
    USAFRet said:
    And even weirder, this particular breach was seemingly not done for financial gain, but for the perp to get notoriety. "See what I did? That proves I'm a leet hacker, now gimme a job."
    As far as we know. If she really just wanted to know if she could pull it off, then I don't see why she went to the trouble of transferring all of the data.

    Maybe she did sell it, but wasn't caught in the act. I don't expect her to volunteer that information, if she did.

    But I get your point - that she only got caught because she couldn't resist telling somebody, and probably didn't know anyone 1337 enough. I think it's basic human nature to want to brag about your accomplishments, and I've heard, in the news, of several other perpetrators of big hacks who've been caught in this same way, over the years.
    Reply