Financial giant Capital One announced a large data breach Monday, with the company saying that one person accessed personal information of approximately 100 million people in the United States and 6 million in Canada who had applied for or are currently considered users of the company’s credit cards.
Additionally, the FBI arrested a woman in Washington state who is suspected of hacking into the company to obtain that information. Paige A. Thompson was arrested Monday and appeared in federal court in Seattle.
According to the complaint, Thompson allegedly took wide swaths of personal information from Capital One’s cloud storage instances on March 22 and March 23. The company stored the data taken by Thompson on Amazon Web Services.
The company says this information included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income. The information ranged from 2005 to early 2019.
Additionally, Capital One says the following information was obtained:
- Customer status data such as credit scores, credit limits, balances, payment history and contact information.
- Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.
- About 140,000 Social Security numbers of credit card customers.
- About 80,000 linked bank account numbers of secured credit card customers.
- Approximately 1 million Canadian Social Insurance Numbers.
According to the FBI, a misconfigured firewall allowed Thompson to access a list of more than 700 folders that contained the data. Sometime shortly thereafter, Thompson allegedly posted on GitHub that she was in possession of the data.
The company was made aware of the breach on July 17 when someone emailed Capital One via their security disclosure email contact and informed it the data was publicly posted on GitHub.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Capital One chairman and CEO, said in a press release. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
The company says it will be make free credit monitoring and identity protection available to everyone affected.
In a press release issued Monday, Capital One said it expects the incident to cost the company between $100 million and $150 million this year. It also stated it has a cyber insurance package with a total coverage limit of $400 million.
Thompson was a former employee of Amazon Web Services from 2015 to 2016, according to her LinkedIn profile. If convicted, she faces a five-year prison sentence and a fine up to $250,000.
You can read the full complaint below.