Anyone who has applied for a Capital One account in the last 14 years may have had private information stolen in the bank’s recently reported data breach. Capital One Financial Corporation (NYSE: COF) revealed that a data breach of their systems exposed the information of about 100 million people in the United States and another 6 million in Canada. Even applicants who were rejected still had information stored on the company’s servers.
Capital One said the hacking took place in March and that the company became aware of it July 19. Most of the affected credit card applicants applied for credit cards from 2005 through early 2019. Roughly 140,000 Social Security numbers and 80,000 bank account numbers were compromised. Capital One said the stolen data also included names, addresses, phone numbers, dates of birth, and financial data such as credit scores, credit limits, balances, payment history and self-reported income. No credit card account numbers or log-in credentials appear to have been compromised.
It’s not yet clear if anyone’s identity was stolen as a result of the Capital One breach. The bank plans to contact those affected using various channels and will offer free credit monitoring and identity protection to those whose information has been compromised. Costs related to the breach are expected to be $100 million to $150 million in 2019.
The Federal Bureau of Investigation (FBI) has already arrested the alleged perpetrator of the breach in Seattle. Paige A. Thompson, 33, a former Amazon software engineer, was identified as the alleged perpetrator after bragging about the breach online. Her boasting was apparently posted to GitHub, the largest website in the world for developers.
According to a criminal complaint filed in federal court in Seattle, Thompson claimed to have accessed the data by exploiting a misconfigured firewall on the Amazon Web Services cloud. Another party who saw the claims alerted Capital One, which in turn alerted the FBI. The charges of computer fraud and abuse Thompson is facing is punishable by up to five years in prison and a $250,000 fine.