Dive Brief:
- Capital One discovered a data breach impacting 100 million individuals in the U.S. and 6 million in Canada, according to a company announcement. Those hit hardest by the July 19 breach were individuals and small businesses that filed applications for credit card products and Capital One credit card customers.
- The applications, filed between 2005 and 2019, included names, postal codes, phone numbers, birth dates and self-reported income. The breach also exposed credit scores, credit limits, balances, payment history and fragmented transaction history from 2016 to 2018.
- The bank estimates about 140,000 Social Security numbers and 80,000 linked bank account numbers to credit card customers were also compromised, according to the announcement.
Dive Insight:
After regulators handed two record fines to Equifax and Facebook for data privacy infringements, Capital One's legal ramifications are grim.
The company expects incremental costs between $100 million and $150 million in 2019 because of the incident.
The bank's assessment of the breach led the company to "believe" a "highly sophisticated individual was able to exploit a specific configuration vulnerability" in its infrastructure, according to the announcement. Upon discovery of the intrusion, the bank attended the flaw, looked for further instances, and augmented its "routine automated scanning."
Paige Thompson, a former software engineer for a Seattle-based tech company, was arrested Monday for computer fraud and abuse in connection with the breach, according to the Department of Justice.
Thompson posted on GitHub bragging about the intrusion. Going by the handle "erratic" online, Thompson used a misconfigured web application firewall to get into Capital One's systems.
The bank was tipped off about the breach through an email address it uses to "[solicit] disclosures of actual or potential vulnerabilities in its computer systems" on July 17, according to the DOJ.
Capital One sets itself apart from other financial services companies because of its public cloud-first strategy relying on provider Amazon Web Services, as opposed to private clouds and internal firewalls. Pursuing a breach through a web application vulnerability is common.
Equifax's 2017 data breach was also executed from an unpatched web application vulnerability. While Equifax's vulnerability had an available patch at the time of the intrusion, it's unknown if the same was true for Capital One.