Skip to content
Naked Security Naked Security

Capital One breach – 100 million users’ data stolen

Global financial services company Capital One has just announced a massive data breach.
Written by
July 30, 2019
Naked Security breach capital one data breach

Global financial services company Capital One has just announced a massive data breach:

The breach notification starts in general terms:

Capital One Financial Corporation announced today that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.

The company continues:

Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.

So far, there are no details to suggest what sort of vulnerability was exploited, and therefore no indication of what has now been changed and how permanent or effective the fixes might be.

We don’t know whether it was an unpatched security flaw, an incorrectly configured access control setting, or some other cybersecurity issue.

The breach is notable more for what was taken than what wasn’t, covering:

  • 100,000,000 users in the USA
  • 6,000,000 users in Canada
  • Any consumer or small business who applied for a credit card in the past 14 years (2005 to early 2019).
  • Personal data including names, addresses, zip codes, phone numbers, email addresses, dates of birth, income.

Some customers also had the following information lifted:

  • Credit scores, credit limits, balances, payment history, contact information and more.
  • Social security numbers (SSNs).
  • Bank account numbers linked to credit cards.

The silver lining is that the majority of customers didn’t lose SSNs in the breach – Capital One says that only 140,000 SSNs and 80,000 bank account numbers were acquired.

The bad part of that, of course, is that if you’re one of the 140,000 then you’re a bit more exposed than the other 99.9% of breached customers.

What to do?

Capital One says on its breach report page that “free credit monitoring and identity protection is available to everyone affected” – there’s a phone number on the web page if you want to find out more.

According to reports, a hacker called Paige Thompson has been arrested in relation to this crime, apparently after boasting online about their actions.

Presumably, the speedy arrest is what has led Capital One to say that it doesn’t think the data has been sold on and therefore that the risk is low.

Nevertheless:

  • Keep a careful eye on all your statements. Report suspicious transactions immediately.
  • If you have signed up to a credit reporting service, take the time to read the reports you receive. They’re there to help you spot account problems early on, not merely so you can track them down later!
  • Revisit the Capital One info page in a day or two. The company says that “the investigation is ongoing and analysis is subject to change.”
About the Author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.

Follow him on Twitter: @duckblog

Read Similar Articles

5 Comments

Great, I just got a card end of June. Thanks for the heads up. Just a shame I did not hear it from them first.

They have been very slow at releasing information.
Capital One has admitted that it was a misconnfigured S3 server, (Keeping your data on Someone Else’s computer), What Could Possibly go Wrong?… They do have a FAQ page which explains virtually nothing.
As for us Canuks, we are left even more in the dark. Little said from the Capital One Canada, our government regulators and just or a few mentioned in the press and media.

“So far, Capital One isn’t giving any advice on what to do next, or offering any services such as credit monitoring to help you keep track of problems that may arise.”

From the linked page on Capital One’s website:
“What are we doing to help
Free credit monitoring and identity protection is available to everyone affected.
We recognize that there may be questions or concerns and our customer service line is available at 1-800-227-4825.”

I haven’t checked it out yet, but I imagine that more info would be found in their FAQs on this topic, also available from that same page (big blue button labeled “View FAQs” at the bottom of the info section of the page, as well as a link at the top labeled “Frequently Asked Questions”).

Anyone who could be impacted by this, and really, everyone in the US, should immediately get a credit freeze. It’s free now, from all 3 credit bureaus. It basically puts a security pin/password on your credit for any new credit lines that are opened. But before you do it, make sure you set up a my Social Security account, as doing it after the freeze is in place is difficult..

https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?