WatchPoint Security Blog

106 Million People Affected in Capital One Data Breach

Written by Jordan Kadlec | July 30, 2019

On Monday, July 29, Capital One announced a data breach that has exposed the personal information of 106 million people. The breach includes data such as transaction data, credit scores, payment history, balances, linked bank accounts, and Social Security numbers.

Ethical Hacker Notified Capital One

On July 17th, an ethical hacker disclosed the vulnerability to Capital One, and after an internal investigation, Capital One discovered that an unauthorized user had accessed their systems and customer data between March 22nd and 23rd of 2019.

“On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers,” Capital One stated in a data security incident notice.

The investigation also revealed the unauthorized user was able to access information for 100 million people in the United States and 6 million people in Canada. While it was determined that no credit card account numbers or login credentials were accessed, a wide array of other information was compromised.

Below is an excerpt from the data security incident notice released by Capital One.

The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data including:

  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2016

No bank account numbers or Social Security numbers were compromised, other than:

  • About 140,000 Social Security numbers of our credit card customers
  • About 80,000 linked bank account numbers of our secured credit card customers

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.

FBI Arrests Suspect

An individual named Paige Thompson, believed to reside in Seattle, was arrested by the FBI in connection to the Capital One hack.

“According to the criminal complaint, Thompson posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data, the Department of Justice stated in an announcement. “The intrusion occurred through a misconfigured web application firewall that enabled access to the data. On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI. Cyber investigators were able to identify Thompson as the person who was posting about the data theft.”

Were You Affected?

If you are a Capital One customer or applied for a Capital One credit card product from 2005 through early 2019, you need to determine whether your information was included in the data breach.

According to CNBC, here are the guidelines to determine if your information has been compromised as well as instructions on how to ensure your account security:

  1. Capital One will notify affected individuals through a variety of channels and offer free credit monitoring and identity protection available to all affected.
  2. Capital One believes it is unlikely that the information was used for fraud or disseminated.
  3. Enroll in account text and/or email alerts to help keep track of activity.
  4. Monitor credit card accounts for unusual or suspicious activity.
  5. Call the number on the back of the credit card if unusual activity is observed.
  6. Stay vigilant about the possibility of phishing emails and calls following the breach.
  7. Capital One is not calling customers to ask for credit card or account information or Social Security numbers over the phone or via email.
  8. Report emails suspected of phishing activity by forwarding it to the official Credit One security account, abuse@capitalone.com. Do not reply to suspicious email and delete them after forwarding them to Capital One.

For more information and updates on how to determine whether you’ve been affected the breach, visit the Capital One website established specifically for this breach; https://www.capitalone.com/facts2019

Photo courtesy of ITPro.com