It hasn’t even been a week since Equifax settled with the FTC over a massive data breach in 2017, another major financial institution has reported a hacking incident that has just as massive a reach. Capital One is now disclosing that it just suffered a “data security incident” and while it assures that the perpetrator has been apprehended and that the stolen data has unlikely been used at this point, the amount of data pilfered will still strike fear and concern among affected customers.
According to Capital One’s own report, about 100 million individuals in the US and 6 million in Canada were affected. These individuals were consumers and small businesses that applied for the company’s credit card products. More than just the amount, the breadth of the data collected is also staggering:
• Names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
• Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
• Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
• About 140,000 Social Security numbers of our credit card customers
• About 80,000 linked bank account numbers of our secured credit card customers
The perpetrator was named by the DOJ as a certain Paige Thompson and has already been detained by authorities. Capital One will contact individuals that were affected and will offer free credit card monitoring and identity protection for those customers. It is, however, still uncertain whether the story will end there.
The DOJ’s report reveals that the hack occured because of a misconfigured web application firewall. Capital One did admit as much and apologized for the unfortunate event. Although the perpetrator has been apprehended and the security hole patched, there is no assurance that the data has not yet already been spread or sold to the highest bidder. The company claims it hasn’t but promises to keep investigating to be sure.