Capital One breach exposes personal details of over 100 million customers

A 'configuration vulnerability' led to the breach, with the hacker already in custody.

What you need to know

  • Capital One has confirmed that a hacker breached its servers by taking advantage of a "configuration vulnerability."
  • The hacker accessed names, addresses, phone numbers, email addresses, dates of birth, and self-reported income of 100 million customers in the U.S. and 6 million in Canada.
  • The hacker — a 33-year-old software engineer named Paige Thompson — is already in custody.

Financial institution Capital One has suffered a data breach that exposed personal details of over 100 million customers. The bank noted that a hacker was able to access its systems via a "configuration vulnerability," allowing them to make away with names, addresses, phone numbers, email addresses, dates of birth, and self-reported income of 100 million customers in the U.S. and 6 million in Canada:

The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.

Beyond the credit card application data, the individual also obtained portions of credit card customer data, including: ->Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information ->Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

The bank says that credit card numbers or log-in information wasn't compromised, but the hacker was able to access 140,000 U.S. social security numbers, 80,000 bank account numbers that were linked to credit cards, and 1 million Canadian social insurance numbers.

The hacker is already in federal custody after sharing their exploits on GitHub, which led a tipster to contact the bank. Federal investigators from the F.B.I were then able to follow an online trail to track down the hacker: 33-year-old Paige Thompson, who previously worked as a software engineer for Amazon Web Services.

Thompson boasted about the hack in a Slack room, and a search warrant executed on her house turned up storage devices containing data from the breach. Thompson is now awaiting trial, and could face up to five years in prison and a $250,000 fine.

For its part, Capital One has confirmed that it fixed the vulnerability that led to the hack. But as was the case with Equifax, it is likely Capital One will be hit with a class action lawsuit, with the bank already noting that it may cost between $100 to $150 million as a result.