Personal Data of 106 Million People Stolen in Capital One Data Breach

The breaches just keep on coming.

On the heels of Equifax’s record-setting data breach settlement, the FBI disclosed that the personal information of 106 million people was stolen from credit card issuer Capital One in one of the largest data breaches at a financial institution in history.

Most of the stolen data came from credit applications that consumers submitted with Capital One between 2005 and 2019, adding to a string of high-profile breaches and leaks that have exposed the sensitive financial data of hundreds of millions of consumers in recent months (Exhibit A and Exhibit B).

Capital One's failure to properly secure the personal data its customers entrusted to it isn't new, but exposing the credit applications of over a 100 million people is about as bad as it gets. Here is everything you need to know about the Capital One hack.

What information was stolen in the hack?

The hack exposed the names, addresses, dates of birth, phone numbers, and self-reported income of 106 million Capital One credit card applicants and customers, and in some cases, Social Security numbers, bank account numbers, credit scores, and transaction data.

Approximately 140,000 Social Security numbers, 80,000 bank account numbers, and 1 million Canadian Social Insurance numbers were stolen, making it one of the largest data breaches at a major bank in history. According to Capital One, the breach affected 100 million Americans and 6 million Canadians, most of whom applied for credit from the company between 2005 and early 2019.

Along with credit card application data, the information of current Capital One credit card customers was also stolen in the hack, including credit scores, credit limits, balances, payment history, and contact information. It is unclear how many current credit card customers were affected.

While data of this type is often encrypted, in an FAQ posted to the Capital One site, the company said, “Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data.” However, some information was tokenized.

In a statement, Capital One said, “Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.”

When did the breach happen?

Along with the breach disclosure, the FBI announced that it had arrested and charged a Seattle woman, Paige A. Thompson, in connection to the breach. Authorities allege that Thompson stole the data on March 22 and 23, and then posted the data to her personal GitHub account a few weeks later in April.

The vulnerability that Thompson exploited, along with the link to the data on GitHub, was reported to Capital One by an external security researcher through the company’s Responsible Disclosure Program on July 17. After investigating, Capital One discovered the breach on July 19 and immediately notified federal law enforcement of the incident.

The breach stands out not only for its severity but also because hackers are so rarely caught. In nearly all of the major breaches in recent years, from Equifax and Facebook to Marriott and Under Armour, the hackers were never identified or caught.

How did it happen?

Thompson exploited a misconfigured application firewall to gain unauthorized access to more than 700 AWS buckets, extracting nearly 30GB of credit application and customer data in March and April of this year. Thompson used a variety of commands once she had gained access to the server to escalate privileges and get access to additional buckets of data.

According to the criminal complaint filed by the US Attorney’s Office, Thompson used the Tor browser and a VPN service known as IPredator to try to conceal her identity while carrying out the hack. Even though she initially took steps to conceal the intrusion, she then posted the stolen data to her personal GitHub account. The link itself included her full name in the URL, which she then shared on Slack and through direct messages on Twitter.

The FBI was also able to link a number of Tor exit nodes that connected to the Capital One server to IP addresses controlled by IPredator. Investigators discovered that those same IP addresses were also associated with her GitHub account. According to Brian Krebs, Thompson “may have also located tens of gigabytes of data belonging to other major corporations.”

What is Capital One doing about it?

The company will be providing free credit monitoring and identity protection services to everyone affected.

It has also set up a dedicated website with more information for US customers at https://www.capitalone.com/facts2019/ and for Canadian customers at https://www.capitalone.ca/facts2019/.

According to the Capital One website, the company will begin notifying impacted individuals next week. It will notify affected individuals by mail, so be on the lookout for imposter scams and phishing emails as hackers often exploit the confusion in the days after a breach to prey on unsuspecting victims. Capital One will not contact you asking for personal information over the phone or via email.

What can I do to protect myself?

In the wake of the Capital One breach it is more important than ever to take proactive steps toward safeguarding your data and protecting your identity online. Here are some steps you can take now:

1. Freeze Your Credit: One of the most effective ways of reducing the risk of identity fraud is to freeze your credit. Freezing your credit will help prevent fraudsters from opening up new financial accounts or lines of credit in your name.
2. Monitor Your Credit & Identity: By monitoring your credit reports for suspicious changes or new accounts, you can quickly identify fraudulent activity when it occurs and take steps to mitigate the damage. If you were affected by the Capital One breach, make sure you sign-up for free credit monitoring when it becomes available.
3. Enable Two-Factor Authentication: 2FA is an extra layer of security used to make sure that the person who is trying to get access to an account is who they say they are. Two-factor authentication makes it much harder for hackers and identity thieves to get unauthorized access to your online accounts.
4. Stay Vigilant: As always, the best way to protect your data and identity is to stay vigilant and to always be on the lookout for suspicious activity. Never click on links you receive by email or text that you don’t recognize. Watch out for imposter scams and phishing attacks. Never give out personal information to anyone or any company you don’t know or haven’t reach out to directly.

For more steps you can take to safeguard your data, check out our full guide on how to protect your identity.

To learn more about data breaches, check out our ultimate guide to data breaches.

Bloom: Take Back Control of Your Data

At Bloom, we are giving you the tools to take back control of your data. No more centralized data storage. No more selling off your data to the highest bidder. No more risking identity theft. Bloom enables you to own, control, and protect your data using the latest advancements in blockchain technology.

It’s time to take back control of your data and unlock the power of a secure, reusable identity today. Download the Bloom mobile app to build a cryptographically secure identity and get free data breach alerts with Radar!