Capital One, one of the US largest credit card issuer has suffered a data breach exposing the personal information of more 100 million credit card applications.
According to the advisory, the security breach took place on March 22nd and 23rd and affected approximately 100 million individuals in the United States and 6 million in Canada.
Hackers were able to access information of customers who had applied for a credit card between 2005 and 2019.
The data breach was discovered when an ethical hacker disclosed a configuration vulnerability to Capital One on July 17, 2019. After an internal investigation on July 19, 2019, the company discovered unauthorised access to their system.
The data breach exposed personal information such as names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
The attacker also accessed a portion of credit card customer data, including:
- Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
- Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
The hacker also was able to access about 140,000 Social Security numbers and 80,000 bank account numbers of American customers. In the case of Canadian credit customers, approximately 1 million Social Insurance Numbers were compromised in this incident.
The company also confirmed that no credit card numbers or login credentials were compromised in the incident.
After discovering the incident the company immediately fixed the vulnerability responsible for the breach and notified the law and enforcement authorities about the incident.
According to the company, the law enforcement authorities have already arrested the hacker responsible for the incident.
Paige Thompson (33), a former Seattle technology company software engineer was arrested by the FBI on computer fraud and abuse for an intrusion on the stored data of Capital One Financial Corporation.
According to the press release by the Department of Justice, Thompson posted a comment on the information sharing website GitHub about accessing Capital One’s data by exploiting a misconfigured firewall cloud server.
“According to the criminal complaint, THOMPSON posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data. The intrusion occurred through a misconfigured web application firewall that enabled access to the data. On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. “ said in the Department of Justice Press release.
The company has started notifying the affected customers and will provide free credit card monitoring and identity protection services to everyone affected.
You may be interested in reading: New Ransomware named eCh0raix Targets QNAP NAS Devices