Capital One data breach impacts 100 million Americans and 6 million Canadians

• An unauthorized third-party accessed the information for 106 million people by exploiting a configuration vulnerability.
• The exposed information includes personal information, credit card data, transaction data, Social Security numbers, linked bank account numbers, and Social Insurance numbers of consumers and small businesses who applied for credit card products between 2005 and 2019.

Capital One disclosed that it suffered a data breach exposing the personal information of around 106 million people due to a configuration vulnerability.

The big picture

Capital One became aware of the incident on July 17, 2019, after an ethical hacker responsibly disclosed the vulnerability to Capital One. Upon which, Capital One launched an internal investigation on the vulnerability and found out that an unauthorized third-party gained access to their systems and customer data between March 22, 2019, and March 23, 2019.

• The investigation revealed that unauthorized third-party accessed the information for 100 million people in the United States and 6 million people in Canada.
• Capital One immediately fixed the vulnerability and then notified the incident to the FBI.

“Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible and that person is in custody,” Capital One said in a security notice.

What information was compromised?

The exposed information includes the personal and financial information of consumers and small businesses who applied for credit card products between 2005 and 2019. This information includes:

• Personal information such as names, dates of birth, phone numbers, email addresses, addresses, zip codes/postal codes, and self-reported income.
• Credit card application data including customer status data, credit scores, credit limits, balances, payment history, and contact information.
• Transaction data from a total of 23 days during 2016, 2017 and 2018.
• Social Security numbers of over 140,000 credit card customers.
• Linked bank account numbers of around 80,000 credit card customers.
• Social Insurance Numbers for nearly 1 million Canadian credit card customers.

What actions were taken?

• Capital One fixed the configuration vulnerability in its infrastructure which was exploited by the attacker to access the customer data.
• The organization has augmented routine automated scanning and verified that there are no other misconfigured instances in its infrastructure.
• Capital One has invested heavily in cybersecurity and is incorporating the learnings from this incident to strengthen its cyber defenses.
• It is offering free credit monitoring and identity protection services for all impacted customers.

“We are very thankful to the FBI's Seattle Field Office and Special Agent Joel Martini, to U.S. Attorney Brian T. Moran, and to Assistant U.S. Attorneys Steven Masada and Andrew Friedman of the Western District of Washington for the speed with which they responded to this incident and apprehended the responsible party,” Capital One said.

Arrest of the suspect

A former Seattle technology company software engineer, Paige A. Thompson aka erratic, 33 has been arrested by the FBI for stealing customer data from Capital One.

Upon discovery on July 19, 2019, Capital One notified the FBI. Cyber investigators identified THOMPSON as the person who posted about the data theft on Github. The FBI agents then executed a search warrant at THOMPSON’s residence and seized electronic storage devices containing a copy of the data.

“According to the criminal complaint, THOMPSON posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data. The intrusion occurred through a misconfigured web application firewall that enabled access to the data. On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft,” DOJ said in a press release.