Capital One data breach affects 106 million people – A Woman Arrested

Capital One data breach

Capital One has announced a violation of the data that discloses the personal data of 106 million people, including data for transactions, credit scores, payment history, balances, etc.

The data breach was found when an ethical hacker disclosed the vulnerability to Capital One responsibly on 17 July 2019. After conducting an internal investigation into the past use of this vulnerability, Capital One found that unauthorized users accessed their systems and customer information between 22 and 23 March 2019.

“On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers”, Capital One stated in a data security incident notice. “This occurred on March 22 and 23, 2019.”

Their research found that the unauthorized user had access to data in the United States for 100 million people and in Canada for 6 million people.  They provided information to the FBI that arrested the suspected hacker after fixing the vulnerability used in the violation.

A wide range of other details have been accessed while no credit card numbers or login credentials have been accessed.

“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

No bank account numbers or Social Security numbers were compromised, other than:

  • About 140,000 Social Security numbers of our credit card customers
  • About 80,000 linked bank account numbers of our secured credit card customers

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.”

Capital One notifies every user affected by the email and provides a free credit surveillance service.

Due to the amount of personal information exposed and how identity theft can be used, it is highly recommended that the users monitor their credit reports for suspicious activity and report immediately to Police, Capital One and Credit Agencies anything that has been detected.

It is also strongly suggested you freeze your credit report if it is impacted that bad actors find it more difficult to take out credit in your name fraudulently.

How Capital One got hacked?

Thompson’s criminal complaint paints an impression of a less careful suspect.

The complaint says that Thompson has published information on GitHub using its full first, middle, and last name. She also boasted of having information from Capital One on social media.

Thompson explained in a channel on Slack, a chat service frequently used by companies and other groups the method used to break Capital One, the Department of Justice claims. She claimed that she was using a special command to extract files from an Amazon servers Capital One directory.

“I wanna get it off my server that’s why Im archiving all of it lol,” Thompson allegedly posted on Slack. One person was alarmed by what Thompson found, writing that the information was “sketchy,” adding, “don’t go to jail plz.”

Thompson did little to cover her identity up. She allegedly used Slack’s “erratic” screen name, which she used on a Twitter and Meetup chatroom page.

Thompson’s FBI special agent who surveyed believed that she wanted to distribute the Social Security numbers with full names and birth dates.

One person who saw the information about GitHub notified Capital One of the company’s “leaked data.” Capital One informed the FBI, and Thompson’s residence was searched by an agent on Monday. They found devices that refer to Capital One and Amazon and other entities that could have been the object of attempted–or actual–violation.

The complaint states that Thompson “recognizes that she has acted illegally.”


Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.