Skip to main content
close search
site logo
Dive Brief

Capital One's data breach hits 106M customers

Published July 30, 2019
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Nathan Dumlao

Dive Brief:

  • Capital One discovered a data breach impacting 100 million individuals in the U.S. and 6 million in Canada, according to a company announcement. Those hit hardest by the July 19 breach were individuals and small businesses that filed applications for credit card products and Capital One credit card customers.
  • The applications, filed between 2005 and 2019, included names, postal codes, phone numbers, birth dates and self-reported income. The breach also exposed credit scores, credit limits, balances, payment history and fragmented transaction history from 2016 to 2018. 
  • The bank estimates about 140,000 Social Security numbers and 80,000 linked bank account numbers to credit card customers were also compromised, according to the announcement. 

Dive Insight:

After regulators handed two record fines to Equifax and Facebook for data privacy infringements, Capital One's legal ramifications are grim.

The company expects incremental costs between $100 million and $150 million in 2019 because of the incident. 

The bank's assessment of the breach led the company to "believe" a "highly sophisticated individual was able to exploit a specific configuration vulnerability" in its infrastructure, according to the announcement. Upon discovery of the intrusion, the bank attended the flaw, looked for further instances, and augmented its "routine automated scanning."  

Paige Thompson, a former software engineer for a Seattle-based tech company, was arrested Monday for computer fraud and abuse in connection with the breach, according to the Department of Justice. 

Thompson posted on GitHub bragging about the intrusion. Going by the handle "erratic" online, Thompson used a misconfigured web application firewall to get into Capital One's systems. 

The bank was tipped off about the breach through an email address it uses to "[solicit] disclosures of actual or potential vulnerabilities in its computer systems" on July 17, according to the DOJ.

Capital One sets itself apart from other financial services companies because of its public cloud-first strategy relying on provider Amazon Web Services, as opposed to private clouds and internal firewalls. Pursuing a breach through a web application vulnerability is common. 

Equifax's 2017 data breach was also executed from an unpatched web application vulnerability. While Equifax's vulnerability had an available patch at the time of the intrusion, it's unknown if the same was true for Capital One.

Recommended Reading

Filed Under: Security, Big Data

Editors' picks

Company Announcements

View all | Post a press release
New Research Reveals AI's Impact on Power, Status, and Pay
From 1E
November 21, 2024
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
NeuBird Named a Cool Vendor in the 2024 Gartner® Cool Vendors™ in IT Operations Leveraging Gen…
From NeuBird
November 11, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell