Capital One Breach Exposed Data From 106M Credit Card Applicants, Users

The suspect allegedly posted on GitHub about her theft of information from the servers storing Capital One data, according to a criminal complaint.

Capital One revealed late Monday that a hacker gained access to personal information from 106 million credit card applicants and customers in the United States and Canada.

The McLean, Va.-based financial services giant said one million Canadian Social Insurance Numbers, 140,000 U.S. Social Security numbers, and 80,000 linked bank account numbers of Capital One customers were compromised in the breach. The FBI Monday arrested Paige Thompson, a 33-year-old former Seattle technology company software engineer, in connection with the incident on charges of computer fraud and abuse. The Wall Street Journal, citing people familiar with the matter, reported Thompson was previously employed by Amazon Web Services.

An AWS spokesperson did not immediately respond to a CRN request for comment.

According to the criminal complaint, Thompson posted on GitHub about her theft of information from the servers storing Capital One data. The intrusion allegedly occurred through a “misconfigured web application firewall that enabled access to the data.”

On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft, a summary of the complaint stated. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI. Investigators, the complaint stated, were able to identify Thompson as the person who was posting about the data theft. This morning agents executed a search warrant at THOMPSON’s residence and seized electronic storage devices containing a copy of the data.

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," Capital One Chairman and CEO Richard Fairbank said in a statement. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

[Related: Equifax Data Breach Settlement Of Up To $700M Largest Ever]

Consumers and small businesses that applied for a Capital One credit card between 2005 and early 2019 had their name, address, ZIP code/postal code, phone number, email address, date of birth, and self-reported income accessed by the hacker, according to the company. Roughly 100 million individuals in the United States and six million individuals in Canada were affected by the breach, according to Capital One.

Capital One expects to spend between $100 million and $150 million on customer notifications, credit monitoring, technology costs, and legal support associated with the breach in 2019 alone. The company said its cyber risk insurance is subject to a $10 million deductible and carries a total coverage limit of $400 million.

The company's stock is down $2.92 (3.01 percent) to $94 per share in after-hours trading Monday. Bloomberg first reported on the breach shortly after 6 p.m. ET Monday, and Capital One disclosed the incident an hour later.

The hacker obtained personal information related to people applying for credit card products and Capital One credit card customers on March 22 and March 23 of this year, according to the company. Federal prosecutors alleged that Thompson hacked into an undisclosed cloud computing company's server on which Capital One rented space, according to Bloomberg.

Capital One said it was first notified of a configuration vulnerability in its infrastructure by an external security researcher on July 17, 2019. Two days later, the company came to realize it had been breached.

Although Capital One typically encrypts its data, the company said the particular circumstances of the hacker also enabled the decrypting of data. However, Capital One said highly sensitive data fields such as Social Security numbers and account numbers were also tokenize, meaning that information in the field was substituted with a cryptographically generated replacement.

Tokenized data remains protected, Capital One said, since the method and key used to unlock tokenized fields are different from those used to encrypt data. Capital One said its use of the cloud didn't make the company more susceptible to the security vulnerability, but credited the cloud for helping the company rapidly diagnose and fix the vulnerability, along with determining its impact.

Capital One's breach disclosure comes just a week after Equifax agreed to pay up to $700 million to federal and state agencies to settle litigation around a 2017 data breach that affected 147 million people.