A massive data breach of Capital One exposed the personal data of approximately 100 million people, including nearly about 80,000 bank account numbers and 140,000 Social Security numbers.
Federal authorities arrested a Seattle-area woman, Paige A. Thompson. They said Thompson, who worked for a Capital One contractor, stole the data from the bank’s credit card applications in March, according to Bloomberg.
Capital One acknowledged the data breach on Monday, saying it affected “approximately 100 million individuals in the United States and approximately 6 million in Canada.”
“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” the company wrote. “However, we will continue to investigate.”
How did the data breach happen?
According to court documents, Thompson worked for a cloud computing company that was contracted by Capital One.
Capital One described the alleged hacker as a “highly sophisticated individual who was able to exploit a specific configuration vulnerability in our infrastructure.”
The company added that it addressed the vulnerability after discovering it, and that much — but not all — of the data was encrypted. That said, because Thompson had access to the system, she was able to decrypt some of the data, Capital One said.
“Although some of the information in those applications (such as Social Security numbers) has been tokenized or encrypted, other information including applicants’ names, addresses, dates of birth and information regarding their credit history has not been tokenized,” the FBI said in a criminal complaint reviewed by the Washington Post.
Thompson has been accused of “exfiltrating and stealing information, including credit card applications and other documents, from Capital One,” according to court papers. Other compromised data included credit scores, credit limits, balance, and payment information. About a million Canadian Social Insurance numbers were also compromised.
Thompson went by the nickname “erratic” online and wrote about the breach in posts.
“I’ve basically strapped myself with a bomb vest, [expletive] dropping capital ones dox and admitting it,” she wrote, according to the FBI.
Speaking on Slack, she posted a list of the files she had allegedly taken and said “I wanna get it off my server that’s why Im archiving all of it lol … its all encrypted,” according to court documents.
Capital One learned of the breach on July 17 from an online posting and quickly alerted the FBI. We’ve reached out to the bank for more details on who might have been impacted by the breach and will update this story if they respond.
Digital Trends was unable to contact an attorney for Thompson. She will remain in jail for the time being and has a bail hearing scheduled for Thursday.
Was my data affected by the Capital One breach?
At this point, it’s unclear — but it’s likely, just based on the number of affected customers. A much smaller number of people had their key data — bank number and social security numbers — exposed. If your data was compromised, you should hear from Capital One soon.
“We will notify affected individuals through a variety of channels,” Capital One wrote, “We will make free credit monitoring and identity protection available to everyone affected.”
The company expects the breach to cost it between $100 and $150 million this year, mostly for the cost of notifying customers and monitoring their credit.
The massive scale of the leaked credit card applications could make this one of the biggest financial data breaches ever. The largest was the 2017 Equifax breach, in which hackers stole personal data from about 147 million people. That hack ended in a $700 million settlement with the Federal Trade Commission (FTC).