Capital One data breach involves 100 million credit card applications

In this photo illustration the Capital One Financial

Capital One was hacked.

SOPA Images

Capital One said Monday that data from more than 100 million US citizens and 6 million Canadian residents had been stolen by a hacker. 

If you applied for a credit card from the US bank between 2005 through 2019, your information is likely part of this breach, Capital One said in a statement. The data includes roughly 140,000 US Social Security numbers and about 80,000 bank account numbers, according to Capital One. The hacker also stole about 1 million Canadian social insurance numbers in the breach, the company said.

Capitol One added that “no credit card account numbers or log-in credentials were compromised,” and that more than 99 percent of the Social Security numbers that Capital One has on file weren’t affected. The breach did, however, include names, addresses, zip codes, phone numbers, email addresses and birthdates — all valuable assets that hackers can use to steal from victims. 

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Chairman and CEO of Capital One. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

The FBI arrested a 33-year-old tech worker named Paige A. Thompson, who goes by the name “erratic,” according to court documents. Prosecutors charged Thompson with computer fraud and abuse, alleging that she was behind the hack. 

“Capital One quickly alerted law enforcement to the data theft — allowing the FBI to trace the intrusion,” US Attorney Brian T. Moran said in a statement. 

According to court documents, Thompson allegedly stole the information by finding a misconfigured firewall on Capital One’s Amazon Web Services cloud server. Investigators accused Thompson of accessing that server from March 12 to July 17. More than 700 folders of data were stored on that server, according to the Justice Department. 

Thompson allegedly posted details about the hack on a GitHub page in April, and talked about the attack on Twitter and Slack discussions, according to the FBI. 

Court documents showed that Capital One didn’t learn about the hack until July 17, when someone sent a message to the company’s responsible disclosure email address with a link to the GitHub page. The page had been up since April 21, with the IP address for a specific server containing the company’s sensitive data. 

The GitHub page had Thompson’s full name, as well as another page containing her resume. Court documents showed that on the resume, Thompson was listed as a systems engineer and a former employee at Amazon Web Services from 2015 to 2016. In a statement, Amazon said the former employee left the company three years before the hack took place.

“AWS was not compromised in any way and functioned as designed,” an Amazon spokesperson said in an email. “The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure.”

The FBI also found Twitter message logs where Thompson allegedly wrote, “I’ve basically strapped myself with a bomb vest, fucking dropping capitol ones dox and admitting it,” noting that she wanted to distribute the data she stole.

Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual” but committed to investigating the hack fully. Capital One expects this hack will cost the company “approximately $100 to $150 million in 2019.”

The FBI seized Thompson’s devices on Monday after obtaining a search warrant, and arrested her. If found guilty, Thompson faces up to five years in prison and a $250,000 fine. 

This incident comes in the wake of news Equifax may have to pay up to $700 million over a 2017 data breach. That breach involved the Social Security numbers and home addresses of nearly 148 million Americans from Equifax’s servers in a hack that ran from May to July in 2017.

Like Equifax, Capital One said that it would be providing free credit monitoring and identity protection to everyone involved. 

Update, July 29, 6:03 p.m. PT: Adds statement and additional details from Capital One.
Update: 6:46 p.m. PT: Adds details from the criminal complaint. 
Update 8:00 p.m. PT: Adds response from Amazon.