Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

Capital One Discloses Massive Data Breach: 106 Million Impacted

Capital One said on Monday that a malicious individual was able to exploit a vulnerability in cloud infrastructure used by the company and gain access to sensitive data on more than 100 million customers and credit applicants.

Capital One said on Monday that a malicious individual was able to exploit a vulnerability in cloud infrastructure used by the company and gain access to sensitive data on more than 100 million customers and credit applicants.

CapitalOne said it confirmed the incident on July 19, 2019, after being tipped off by a security researcher through its Responsible Disclosure Program on July 17, 2019.

While Capital One said an arrest was made for the person responsible, it did not name the individual in its announcement. However, in a separate announcement on Monday, the Department of Justice (DoJ) said that 33-year-old Paige A. Thompson was arrested and charged in connection with the incident.

Thompson — who goes by the online handle “erratic” — is facing a criminal complaint of computer fraud and abuse in  U.S. District Court in Seattle. 

According to the DoJ, Thompson was able to exploit a misconfigured web application firewall that enabled her to run commands and exfiltrate data.

FBI agents raided Thompson’s residence on Monday and seized electronic storage devices containing a copy of the Capital One data.

Capital One said the incident impacts approximately 100 million individuals in the United States and approximately 6 million in Canada, based on analysis done so far, but “believes it is unlikely” that the information was used for fraud or disseminated by Thompson.

No credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised, the financial institution said.

Advertisement. Scroll to continue reading.

In all, the company said about 140,000 Social Security numbers of U.S credit card customers were exposed, along with roughly 80,000 linked bank account numbers of secured credit card customers. Approximately 1 million Social Insurance Numbers of Canadian credit card customers were compromised.

“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” Capital One said. “This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”

Capital One said the incident is expected to cost approximately $100 to $150 million in 2019, largely driven by customer notifications, credit monitoring, technology costs, and legal fees. 

The Company said it does carry cyber insurance, subject to a $10 million deductible and standard exclusions and carries a total coverage limit of $400 million.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights