A solo hacker broke into the servers of Capital One Financial Corporation and accessed data pertaining to 106 million credit-card applicants from the United States and Canada, Capital One announced today (July 29) after the close of stock trading in New York.
“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right,” Capital One Chairman and CEO Richard D. Fairbank said in the company’s statement.
The information compromised included, according to the bank, “personal information Capital One routinely collects at the time it receives credit-card applications, including names, addresses, ZIP codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income.”
The upside is that no credit-card numbers or online credentials were stolen, the bank said. About 1 million Canadian Social Insurance Numbers and 160,000 U.S. Social Security numbers were stolen, but most such numbers were obscured in a manner that the hacker could not decrypt. About 77,000 bank-account numbers were stolen.
“We will notify affected individuals through a variety of channels,” the bank said in its official statement. “We will make free credit monitoring and identity protection available to everyone affected.”
MORE: Best Identity Protection Services
The U.S. Department of Justice announced that a woman named Paige A. Thompson, 33, had been arrested in Seattle and charged with a single violation of the Computer Fraud and Abuse Act in connection with the Capital One intrusion.
The intrusion into Capital One’s servers occurred in March, according to the criminal complaint filed against Thompson. Thompson allegedly got into the servers through a configuration error in a web application firewall, and posted some of the stolen data on GitHub, an online software-development repository owned by Microsoft.
The criminal complaint says Thompson, who used the online handle “erratic” on GitHub, Slack and Twitter, corresponded with other individuals on those platforms discussing the data she had taken from Capital One.
On July 19, one of those individuals apparently notified Capital One through its bug-bounty program of the existence of the stolen data, and Capital One subsequently confirmed the intrusion.
The criminal complaint infers from Thompson’s online correspondences that she intended to distribute the stolen data, although the provided screenshots make it seem that she was trying to give it away rather than sell it.
If convicted, Thompson faces up to five years in federal prison and a $250,000 fine.