Capital One is reporting a massive data breach affecting 100 million people in the US that exposed the names, addresses, phone numbers and email addresses they used on their credit card applications.
A 33-year-old Seattle woman named Paige Thompson allegedly exploited a vulnerability in Capital One’s online databases to steal the credit card application documents, according to the criminal complaint the FBI filed on Monday.
Capital One became aware of the breach on July 17 when a security researcher emailed it about how the company’s private information had been leaked to a GitHub page, which the FBI claims was registered to Thompson.
The vulnerability involved a firewall misconfiguration. According to the FBI, Thompson setup servers at an unnamed cloud computing company to exploit the flaw. She then sent commands to Capital One’s databases starting in March to steal login credentials and access over 700 company folders. A copy of all the data was then created and exfiltrated in the following weeks.
Thompson has now been arrested and the vulnerability has been patched. According to Capital One, the stolen data was likely never used for fraud or shared with other groups, although the investigation continues. “Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of social security numbers were not compromised,” the company said in today’s announcement.
Only 140,000 credit card customers in the US had their social security numbers stolen in the breach. Another 80,000 customers had their bank account numbers exposed.
“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” the company added. “This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
Other exposed data can include credit scores, payment information, and fragments of transaction data.
The company plans on notifying affected customers, and offering them free credit monitoring and identity protection services. 6 million customers in Canada were also affected.
As for Thompson, she faces up to five years in prison and a $250,000 fine for the alleged hack. According to the FBI, Thompson also referenced the breach via messages she made over on Twitter and on Slack. “I’ve basically strapped myself with a bomb vest, fucking dropping capital ones dox and admitting it,” she said in one message to an unnamed user on Twitter last month.