100 million Americans and 6 million Canadians caught up in Capital One breach

Over 1 million Canadian social insurance numbers accessed in breach.
Written by Chris Duckett, Contributor

Capital One has disclosed that it has suffered a data breach impacting 100 million people in the United States, and 6 million in Canada.

The company said in a statement that data between 2005 and 2019 was accessed and related to information on consumers at the time when they applied for a credit card.

"This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income," the company said.

"Beyond the credit card application data, the individual also obtained portions of credit card customer data, including: Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information; Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018."

Approximately 1 million Canadian social insurance numbers, as well as 140,000 American social security numbers and 80,000 bank account numbers were also accessed.

"No bank account numbers or Social Security numbers were compromised," the bank said before listing the above numbers.

Capital One said it became aware of the access on July 19, and that it "immediately fixed the configuration vulnerability that this individual exploited". It added that the individual that accessed the records is now arrested and in custody.

"Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual," the company said.

"However, we will continue to investigate."

See also: Only three global banks given top website security score by ImmuniWeb

It added the configuration vulnerability was disclosed to it by an external security researcher, which led to an internal investigation and discovery of the incident.

Although Capital One said its data was encrypted, the attacker was able to decrypt it.

"It is also our practice to tokenize select data fields, most notably Social Security numbers and account numbers," Capital One said.

"Tokenization involves the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data. Tokenized data remained protected."

The impact of the breach is expected to be between $100 million to $150 million in 2019, the company added.

In a separate announcement, the US Attorney's Office for the Western District of Washington said it had arrested a "former Seattle technology company software engineer" in relation to the breach. The accused suspect, Paige Thompson who uses the handle erratic, appeared in US District Court on Monday and is pending a hearing on August 1.

Thompson is alleged to have posted on GitHub about the incident, with the Attorney's Office saying her access was due to a misconfigured web application firewall.

The complaint filed in court shows Capital One being alerted to an S3 bucket leak, and states the firewall configuration allowed commands to be executed on a server that enabled access to "buckets of data".

It further states that Capital One verified Thompson had a list of over 700 of its buckets, and the bank's logs showed attempted connections from Tor exit nodes that matched an IP address which made irregular use of a firewall account to list buckets. Other commands were also made from IP addresses that belonged to a VPN provider that Thompson is a customer of, the US alleges.

The complaint also alleges that based on a resume uploaded to GitLab, Thompson used to work at the cloud company involved, and alleges Thompson posted a list of files in her possession to a Slack channel.

"Im like > ipredator > tor > s3 on all this shit," the complaint screenshots a Slack user called erratic saying.

A search of Thompson's bedroom found "files and items" that referenced Capital One and "the Cloud Computing Company", the complaint added. 

"Cyber investigators were able to identify Thompson as the person who was posting about the data theft," the Office said.

"This morning agents executed a search warrant at Thompson's residence and seized electronic storage devices containing a copy of the data."

"Capital One quickly alerted law enforcement to the data theft -- allowing the FBI to trace the intrusion," said US Attorney Moran.

"I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it."

The Office added that computer fraud and abuse is punishable by five years in prison and a $250,000 fine.

Update at 10:17am AEST, July 30, 2019: Added additional information from the US Attorney's Office.

Update at 10:55am AEST, July 30, 2019: Added additional information from the complaint.

Related Coverage

Hackers target 62 US colleges by exploiting ERP vulnerability

Attacks failed; however, the Department of Education is alerting colleges about ongoing exploitation attempts.

Sephora data breach hits Southeast Asia and ANZ customers

Some personal information such as first and last name, date of birth, gender, email address, and encrypted password, as well as data related to beauty preferences may have been exposed.

Brazilian banking users exposed by 250GB data leak

A financial services provider has leaked personal details of potential and current clients of various local banking institutions.

How businesses can reduce the financial impact of data breaches (TechRepublic)

The cost of a data breach has grown 12% over the past 5 years, hitting $3.92 million on average. Organizations can take steps to mitigate the financial damage, according to a new report.

Editorial standards