Capital One Hack Exposes 100M Accounts

Last updated:

Capital One has revealed that more than 100 million customers had their personal information hacked, including credit scores, credit limits, balances, payment history, and contact information, as well as 140,000 Social Security numbers and 80,000 linked bank account numbers of secured credit card customers.

Confidential data for around 106 million Capital One customers’ accounts and credit card applications was stolen by an alleged hacker, Paige Thompson, 33, in March of this year.

Thompson was arrested by the FBI on June 29 and is accused by the US Department of Justice of having gained unauthorised access to personal data that included names, addresses, zip codes, phone numbers, email addresses, dates of birth and self-reported income.

ll this data is collected by Capital One “routinely” each time it receives credit card applications, the company has revealed in an official statement.

Thought to have affected roughly 100 million United States customers and 6 million Canadians, the suspect allegedly gained access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, as well as data pertaining to customers’ credit scores, credit limits, balances

Thompson had formerly worked as a software engineer for a cloud hosting company used by Capital One. Her access to the company’s servers was facilitated by exploiting a misconfigured web application firewall, according to court filings.

Capital One says that immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Chairman and CEO.

“I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Capital One say that no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.

“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”

Capital One say that they will notify affected individuals through a variety of channels and will make free credit monitoring and identity protection available to everyone affected.