• by Ray Schultz , July 30, 2019

Capital One Financial Corp. was hit with a data breach exposing email addresses and other data on 106 million people, 100 million of them in the U.S., the remainder in Canada. the company announced on Monday afternoon. 

An outside individual gained unauthorized access and obtained personal information on Capital One credit card holders plus consumers and small business people who had applied for the card from 2005 to 2013.

The exposed data includes names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.

That alleged culprit is Paige A. Thompson, a former software engineer at a Seattle tech company, according to U.S. Attorney Brian T. Moran.

Thompson was arrested and charged with computer fraud and abuse, an offense punishable by up to five years in prison and a $250,000 fine.

Moran’s office states that Thompson posted on GitHub about the data theft. On July 17, a  GiftHub user alerted Capital One about the possible breach, and on July 19 the company determined it had occurred.

The intrusion occurred through a misconfigured web application firewall that enabled access to the data, a vulnerability Capital One say it has fixed.

 “Capital One quickly alerted law enforcement to the data theft -- allowing the FBI to trace the intrusion,” Moran states.  

The breach did not compromise credit card account numbers or log-in credentials, according to Capital One. Nor were 99% of the Social Security numbers breached, it adds. 

Moreover, Capital One does not believe that Thompson used the information for fraud, and adds that she did not disseminate the data.

However, the company acknowledged that the following data was compromised:

• Customer status data such as credit scores, credit limits, balances, payment history and contact information.
• Transaction data fragments from 23 days during 2016, 2017 and 2018.
• Roughly 140,000 Social Security numbers of U.S. customers and 1 million Canadian Social Insurance Numbers.
• About 80,000 linked bank account numbers of secured credit card holders. 

Capital One says it will make free credit monitoring and identity protection available to the affected individuals. The company expects the episode will cost between $100 million and $150 million this year due to customer notifications, credit monitoring and legal support, Reuters reports.

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Richard D. Fairbank, Chairman and CEO. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."