Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Cyber Insurance

Capital One Discloses Massive Data Breach: 106 Million Impacted

Capital One said on Monday that a malicious individual was able to exploit a vulnerability in cloud infrastructure used by the company and gain access to sensitive data on more than 100 million customers and credit applicants.

Capital One said on Monday that a malicious individual was able to exploit a vulnerability in cloud infrastructure used by the company and gain access to sensitive data on more than 100 million customers and credit applicants.

CapitalOne said it confirmed the incident on July 19, 2019, after being tipped off by a security researcher through its Responsible Disclosure Program on July 17, 2019.

While Capital One said an arrest was made for the person responsible, it did not name the individual in its announcement. However, in a separate announcement on Monday, the Department of Justice (DoJ) said that 33-year-old Paige A. Thompson was arrested and charged in connection with the incident.

Thompson — who goes by the online handle “erratic” — is facing a criminal complaint of computer fraud and abuse in  U.S. District Court in Seattle. 

According to the DoJ, Thompson was able to exploit a misconfigured web application firewall that enabled her to run commands and exfiltrate data.

FBI agents raided Thompson’s residence on Monday and seized electronic storage devices containing a copy of the Capital One data.

Capital One said the incident impacts approximately 100 million individuals in the United States and approximately 6 million in Canada, based on analysis done so far, but “believes it is unlikely” that the information was used for fraud or disseminated by Thompson.

No credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised, the financial institution said.

In all, the company said about 140,000 Social Security numbers of U.S credit card customers were exposed, along with roughly 80,000 linked bank account numbers of secured credit card customers. Approximately 1 million Social Insurance Numbers of Canadian credit card customers were compromised.

“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” Capital One said. “This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”

Capital One said the incident is expected to cost approximately $100 to $150 million in 2019, largely driven by customer notifications, credit monitoring, technology costs, and legal fees. 

The Company said it does carry cyber insurance, subject to a $10 million deductible and standard exclusions and carries a total coverage limit of $400 million.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

CISO Strategy

The question for 2023 and beyond is whether the cyberinsurance industry can make a profit without destroying its market.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...