Capital One said on Monday that a malicious individual was able to exploit a vulnerability in cloud infrastructure used by the company and gain access to sensitive data on more than 100 million customers and credit applicants.
CapitalOne said it confirmed the incident on July 19, 2019, after being tipped off by a security researcher through its Responsible Disclosure Program on July 17, 2019.
While Capital One said an arrest was made for the person responsible, it did not name the individual in its announcement. However, in a separate announcement on Monday, the Department of Justice (DoJ) said that 33-year-old Paige A. Thompson was arrested and charged in connection with the incident.
Thompson — who goes by the online handle “erratic” — is facing a criminal complaint of computer fraud and abuse in U.S. District Court in Seattle.
According to the DoJ, Thompson was able to exploit a misconfigured web application firewall that enabled her to run commands and exfiltrate data.
FBI agents raided Thompson’s residence on Monday and seized electronic storage devices containing a copy of the Capital One data.
Capital One said the incident impacts approximately 100 million individuals in the United States and approximately 6 million in Canada, based on analysis done so far, but “believes it is unlikely” that the information was used for fraud or disseminated by Thompson.
No credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised, the financial institution said.
In all, the company said about 140,000 Social Security numbers of U.S credit card customers were exposed, along with roughly 80,000 linked bank account numbers of secured credit card customers. Approximately 1 million Social Insurance Numbers of Canadian credit card customers were compromised.
“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” Capital One said. “This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
Capital One said the incident is expected to cost approximately $100 to $150 million in 2019, largely driven by customer notifications, credit monitoring, technology costs, and legal fees.
The Company said it does carry cyber insurance, subject to a $10 million deductible and standard exclusions and carries a total coverage limit of $400 million.