Capital One data breach involves 100 million credit card applications

Data stolen also included 140,000 Social Security numbers and 80,000 bank account numbers.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Mark Serrels Editorial Director
Mark Serrels is an award-winning Senior Editorial Director focused on all things culture. He covers TV, movies, anime, video games and whatever weird things are happening on the internet. He especially likes to write about the hardships of being a parent in the age of memes, Minecraft and Fortnite. Definitely don't follow him on Twitter.
Alfred Ng
Mark Serrels
3 min read
Capital One Financial's offices in San Francisco

Capital One Financial's offices in San Francisco

Stephen Shankland/CNET

Capital One said Monday that data from more than 100 million US citizens and 6 million Canadian residents had been stolen by a hacker

If you applied for a credit card from the US bank between 2005 through 2019, your information is likely part of this breach, Capital One said in a statement. The data includes roughly 140,000 US Social Security numbers and about 80,000 bank account numbers, according to Capital One. The hacker also stole about 1 million Canadian social insurance numbers in the breach.

Capital One added that "no credit card account numbers or log-in credentials were compromised" and that more than 99 percent of the Social Security numbers that Capital One has on file weren't affected. The breach did, however, include names, addresses, ZIP codes, phone numbers, email addresses and birthdates -- all valuable assets that hackers can use to steal from victims.

The FBI arrested a 33-year-old tech worker named Paige A. Thompson, who goes by the nickname "erratic," according to the Justice Department. Prosecutors charged Thompson with computer fraud and abuse, alleging that she was behind the hack. 

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Richard D. Fairbank, chairman and CEO of Capital One. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

Watch this: Capital One's data breach and how criminals could use the stolen data

On Tuesday, New York Attorney General Letitia James said she would immediately begin an investigation into the Capital One incident. "We cannot allow hacks of this nature to become every day occurrences," James said in a statement.

This incident comes in the wake of news that Equifax may have to pay up to $700 million over a 2017 data breach. That breach of Equifax's servers involved the Social Security numbers and home addresses of nearly 148 million Americans. 

According to court documents in the Capital One case, Thompson allegedly stole the information by finding a misconfigured firewall on Capital One's Amazon Web Services cloud server. Investigators accused Thompson of accessing that server from March 12 to July 17. More than 700 folders of data were stored on that server, according to the Justice Department. 

Thompson allegedly posted details about the hack on a GitHub page in April, and talked about the attack on Twitter and Slack discussions, according to the FBI. 

Court documents showed that Capital One didn't learn about the hack until July 17, when someone sent a message to the company's responsible disclosure email address with a link to the GitHub page. The page had been up since April 21, with the IP address for a specific server containing the company's sensitive data.

"Capital One quickly alerted law enforcement to the data theft -- allowing the FBI to trace the intrusion," US Attorney Brian T. Moran said in a statement. 

The GitHub page had Thompson's full name, as well as another page containing her resume. Court documents showed that on the resume, Thompson was listed as a systems engineer and was an employee at Amazon Web Services from 2015 to 2016. In a statement, Amazon said the former employee left the company three years before the hack took place.

Amazon said that AWS wasn't compromised in anyway, pointing out that the alleged hacker gained access through a misconfiguration on the cloud server's applicaton, not through a vulnerability in its infrastructure.

The FBI also found Twitter message logs where Thompson allegedly wrote, "I've basically strapped myself with a bomb vest, fucking dropping capitol ones dox and admitting it," noting that she wanted to distribute the data she stole.

Capital One said it was "unlikely that the information was used for fraud or disseminated by this individual" but committed to investigating the hack fully. The company expects this hack will cost the company approximately $100 million to $150 million in 2019.

The FBI seized Thompson's devices on Monday after obtaining a search warrant, and arrested her. If found guilty, Thompson faces up to five years in prison and a $250,000 fine. 

Like Equifax, Capital One said that it would be providing free credit monitoring and identity protection to everyone involved.

Originally published July 29 at 4:59 p.m. PT.
Update, 6:03 p.m. PT: Adds statement and additional details from Capital One.
Update: 6:46 p.m. PT: Adds details from the criminal complaint. 
Update 8:00 p.m. PT: Adds background information.
Update July 30 at 9:35 a.m. PT: Adds statement by New York's attorney general.