Capital One announced on Monday night it was a victim of data breach that impacted 100 million individuals in the United States and close to 6 million in Canada.
The massive breach was discovered on July 19, 2019 after a hacker gained unauthorized access to steal personal data. To add, the heist exposed personal data related to people who had applied for credit card products as well as Capital One credit card customers.
“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income,” the company stated in the press release.
Although credit card numbers and passwords weren’t stolen, the company did confirm close to 140,000 social security numbers and 80,000 bank account numbers were included in the heist. Furthermore, the data breach also exposed names, names, addresses, phone numbers and credit scores.
Update July 31:
It appears the breach was attributed to an “insider threat.”
On July 29, FBI agents arrested a Seattle software engineer, Paige A. Thompson, for suspicion of stealing over 100 million credit applications and nearly 30GB of data, according to a Brian Krebs report. Thompson likely took advantage of insider information and vulnerabilities in a rented cloud data server.
Thompson’s resume revealed she was previously employed by Amazon, so she likely had insider knowledge on mis-configurations and vulnerabilities of cloud systems.
Capital One said the vulnerabilities were quickly fixed after the exposure was discovered.