Capital One data breach involves 'tens of millions' of credit card applications

The logo and ticker for Capital One are displayed on a screen on the floor of the New York Stock Exchange in New York U.S

Officials with Capital One announced Monday the company has suffered a data breach involving about 100 million people in the United States.

Capital One, based in McLean, Virginia, said it found out about the vulnerability in its system on July 19 and immediately sought help from law enforcement to catch the perpetrator.

The FBI arrested a 33-year-old tech worker named Paige A. Thompson, who goes by the name "erratic", according to court documents.

Capital One Financial Corp. said data from about 100 million people in the US was illegally accessed after prosecutors accused a Seattle woman of breaking into the bank's server at a cloud-computing company.

However, "no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised", the company said.

"I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right".

While Thompson used a VPN and The Onion Router (TOR) exit nodes to hide her activities on S3, she posted files related to the illegal data access on open source code repositories Github and Gitlab using accounts bearing her full name according to FBI investigators. In addition to data such as phone numbers, email addresses, dates of birth and self-reported income, the hacker was also able to access credit scores, credit limits and balances, as well as fragments of transaction information from a total of 23 days in 2016, 2017 and 2018.

The complaint says Thompson boasted in Twitter direct message about having obtained the data, saying she had "basically strapped myself with a bomb vest, [expletive] dropping capitol ones dox and admitting it".

The bank says it will contact the affected customers and make free credit monitoring and protection available to them. Thompson is now awaiting trial, and could face up to five years in prison and a $250,000 fine.

According to Capital One, the stolen data was likely never used for fraud or shared with other groups, although the investigation continues. The data theft occurred some time between March 12 and July 17, federal prosecutors in Seattle said. The cloud-computing company, on whose servers Capital One rented space, wasn't identified in court papers.

It hasn't even been a week since Equifax settled with the FTC over a massive data breach in 2017, another major financial institution has reported a hacking incident that has just as massive a reach.

Update, July 29, 6.03pm PT: Adds statement and additional details from Capital One.

Related:

Comments

Latest news

Cuomo signs legislation decriminalizing marijuana use
In a tweet statement , Cuomo said the bill will offer relief to minority communities that have been impacted by marijuana laws. New York's law makes it the sixteenth state to decriminalize marijuana.

Stranger Pushes Woman, Son Off Platform Into Train's Path
She added that the man had meant to push a third person on to the track, "but she was able to defend herself". Police say the motive is unclear and that it appears the suspect has no connection to the victims.

Trump Admits No Trade Deal With China Likely Until After 2020
Xinhua added that the USA government's "latest hegemonic attempt" to coerce the WTO "is destined to hit a wall of opposition". Trump has repeatedly accused China of taking advantage of the United States.

Four students killed at protest
The SPA posted a video showing hundreds of students protesting in Obeid, with gunshots echoing in the background. The military stepped in in April, launching a coup and arresting him.

An A$AP Rocky fan threatens the Swedish embassy and gets arrested
Obviously, police arrested her and she was forced to leave, but the dedicated Rocky supporter didn't stop there. She allegedly screamed and cursed at visitors before kicking over a teepee and a coffee table.

Other news