Capital One has confirmed that it was the victim of a hack which involving the data of around 100 million US individuals and six million in Canada.
The US financial services giant announced that the hack, which was discovered on 19 July, involved “unauthorised access by an outside individual who obtained certain types of personal information” relating to people who had applied for its credit card products and to Capital One credit card customers.
A 33 year-old former software engineer Paige Thompson has been identified as the alleged hacker. Thompson appeared in US District Court in Seattle on Monday, according to the US attorney’s office.
The hack, which was able to decrypt encrypted data sets, occurred on 22 and 23 March, Capital One said.
Richard D. Fairbank, chairman and chief executive of Capital One, said: “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened.
“I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right."
The company underlined that no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.
However, personal information including names and addresses, dates of birth and self-reported income had been left exposed by the hack.
Beyond the credit card application data, the individual also obtained portions of credit card customer data, including customer status data such as credit scores, credit limits, balances, payment history and contact information.
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019.
Approximately one million Social Insurance Numbers belonging to customers in Canada were compromised in the incident, the company said.
The company expects the incident to generate incremental costs of approximately $100 to $150 million in 2019, mainly for customer notifications and communications, credit monitoring, technology costs and legal support.
A statement read: “Safeguarding our customers' information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so, we will incorporate the learnings from this incident to further strengthen our cyber defenses.”
Sam Curry, chief security officer at Cybereason, said: “For all intents and purposes, it looks like Capital One had some good security practices in place, as evidenced by tokenisation of data shown so far.
“As a positive, the FBI made an arrest quickly and there is a chance to minimise the damage. Normally, its months, years or never in terms of arrests and accountability of the criminals – finding things sooner in the lifecycle, always limits the impact and damage to the innocent.”
Recent Stories