In what is sure to be one of the largest data breaches of 2019, Capital One has announced that a hacker has made off with the details of 106 million credit card customers and applicants. One person has already been arrested for the hack, which Capital One says took place between March 12 and July 17, 2019. The alleged hacker is reported to be a former employee of Amazon Web Services, reports the Wall Street Journal. Capital One said it became aware of the hack on July 19. In a press release Capital One said:
Capital One Financial Corporation (NYSE: COF) announced today that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.
Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.
As for what data was contained in the breach, Capital One says:
- The event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.
- The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of Capital One’s credit card products from 2005 through early 2019.
- Personal information including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income was obtained in the hack.
- Additionally, credit card customer data including credit scores, credit limits, balances, payment history, and contact information was breached.
- Fragments of transaction data from a total of 23 days during 2016, 2017, and 2018 were also obtained.
- About 140,000 U.S. Social Security numbers of Capital One credit card customers were breached.
- About 80,000 linked bank account numbers of Capital One secured credit card customers were also obtained.
- Approximately 1 million Canadian Social Insurance Numbers for Canadian credit card customers were accessed.
So were you affected and how can you find out? Rather unhelpfully, all Capital One is saying right now is that they “will notify affected individuals through a variety of channels.” What these channels may be is anyone’s guess. And given that Capital One has been aware of the hack for a week and a half, it’s disappointing they aren’t being more specific or don’t yet have an online tool in place to allow customers and applicants to check if their data was breached.
Another issue with Capital One’s disclosure is the language they used in the post titled “Facts 2019.” In it, Capital One said, “No bank account numbers or Social Security numbers were compromised, other than . . . ” which some on social media have found misleading.
Incredible. Capital One's data breach site is titled "Facts."
And yet it also pulls this bullshit by saying that no Social Security numbers were breached… except for all the Social Security numbers that were breached.
Fuck you, Capital One. pic.twitter.com/PBod3z9QtC
— Zack Whittaker (@zackwhittaker) July 30, 2019
Capital One is saying they will make free credit monitoring and identity protection available to everyone affected—which is pretty standard stuff when any company suffers a major data breach. Capital One also revealed that the data breach is expected to cost the company between $100 million and $150 million in 2019. Those costs are due to customer notifications, legal support, and credit monitoring.