Capital One Financial Corp. announced today that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.
Capital One said it immediately fixed the configuration vulnerability that this individual exploited and that it began working with federal law enforcement. The FBI has arrested the person responsible. Based on Capital One's analysis to date, the company believes it is unlikely that the information was used for fraud or disseminated by this individual.
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Richard D. Fairbank, Chairman and CEO. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
Based on the analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.
The company says that no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of Capital One's credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:
Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
No bank account numbers or Social Security numbers were compromised, other than:
- About 140,000 Social Security numbers of Capital One's credit card customers
- About 80,000 linked bank account numbers of Capital One's secured credit card customers
For the company's Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.
The Capital One hacker was able to gain access to the data through a misconfigured web application firewall, the U.S. Attorney’s office said.
The company will notify affected individuals through a variety of channels.
The U.S. Justice Department said Paige Thompson, a former Seattle technology company software engineer, was arrested on Monday on a criminal complaint charging computer fraud and abuse for hacking into stored data of Capital One Financial.
Thompson, 33, made her initial appearance in U.S. District Court in Seattle on Monday and was ordered detained pending a hearing on Aug. 1, the statement said.
New York state is opening an investigation into a data breach at Capital One, New York Attorney General Letitia James said in a statement Tuesday.
“My office will begin an immediate investigation into Capital One’s breach, and will work to ensure that New Yorkers who were victims of this breach are provided relief,” James said in the statement. “We cannot allow hacks of this nature to become everyday occurrences.”