Capital One Financial Corp., the fifth largest United States credit card issuer, announced on July 29, 2019 that a data breach exposed approximately 140,000 Social Security numbers and about 80,000 linked bank account numbers – impacting nearly 100 million U.S. residents and 6 million Canadian residents. The breach also included other personal information like names, addresses, postal codes, phone numbers, email addresses, dates of birth and self-reported income, credit scores, credit limits, balances, payment history, contact information and fragments of transaction data from a total of 23 days over the past three years.
Capital One stated that it became aware of the breach July 19 after details of the hack were posted on code-sharing website GitHub. The alleged hacker, Paige A. Thompson, has been arrested and charged with a criminal computer fraud and abuse count in Washington federal court, and faces a maximum penalty of five years in prison and a $250,000 fine. The criminal complaint alleges she gained access to the data sometime between March 12, 2019 and July 17, 2019 by compromising Capital One’s servers at a cloud computing company. One GitHub user who saw the information Thompson posted notified Capital One, and the company then notified the FBI.
The data was stored on Amazon’s Web Services division, and investigators say the firewall was poorly configured, allowing Thompson, a former Amazon Web Services employee, to breach the cloud service. Amazon asserts that it is not responsible.
Capital One says it expects the incident to cost $100 million to $150 million this year. It remains to be seen whether the company will face any other consequences or fines in this emerging era of high fines for large companies lax about data privacy (think Facebook, Equifax, Marriott, and British Airways) and tightening regulations. Questions are being raised about whether Capital One put insufficient safeguards in place to lock down customer records when it adopted cloud technology.
Capital One says it has already identified and fixed the exploited vulnerabilities, and has notified affected individuals and provided free credit monitoring. The company carries a total coverage limit of $400 million in cybersecurity insurance. Consumers who may be affected should take steps to safeguard their financial accounts, including freezing your credit so no one can access your credit reports without your permission, monitoring credit reports, and scrutinizing potential “scam” phone calls in the wake of this incident.