Capital One, the fifth largest credit card issuer in the Unites States, revealed Monday that a hacker accessed the personal information of around 106 million customers and applicants in the United States and Canada. The information that was accessed included highly personal details on consumers and small businesses, including names, social security numbers, income and dates of birth as of the time they applied for one of several credit card products from 2005 through early 2019. Capital One also said that the alleged perpetrator of the hack has been arrested and is in federal custody.
What was Accessed?
The hacker, according to Capital One, was able to access information that Capital One collects through credit card applications, including names, addresses, postal codes, phone numbers, email addresses, dates of birth and self-reported income. More specifically, the hacker accessed customer status data including credit scores, credit limits, balances, payment history, contact information, about 140,000 social security numbers, approximately one million Canadian Social Insurance Numbers and 80,000 linked bank account numbers for Capital One’s secured credit card customers. 100 million people in the U.S. were exposed in the breach, and 6 million Canadians, according to the company.
Richard Fairbanks, the Chairman and CEO of Capital One, issued the following statement through a press release: "While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
Capital One said no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised, beyond the 140,000 that the bank is aware of.
Who was Behind the Hack?
The Wall Street Journal reported that the FBI had arrested the alleged hacker, Paige A. Thompson, earlier in the day in Seattle. Thompson, according to the Journal, is a former Amazon Web Services. Investigators accuse Ms. Thompson of hacking into the servers that Capital One rented from Amazon’s cloud-computing company to steal customer data from the bank. Ms. Thompson was charged with one count of computer fraud and abuse, allegedly accessed the bank’s data through a misconfigured firewall, according to the criminal complaint.
What Should Customers Do?
For customers, Capital One has posted an FAQ that details how it is responding to the breach and what customers can do if they are concerned. The company says it will notify affected individuals through a variety of channels. Free credit monitoring and identity protection will be made available to those impacted, but Capital One suggests that customers monitor their accounts for suspicious activity and report it to the bank immediately.