CapitalOne data exposed in hack
More than 100 million consumers who hold or have applied for Capital One credit cards have had personal information accessed in a security breach.
Capital One has confirmed that on July 19, 2019, it determined that on March 22 and 23, 2019, an “outside individual” obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers. The financial services provider says it immediately fixed the configuration vulnerability that allowed the unauthorized access to occur and “promptly” began working with federal law enforcement.
According to Capital One, the FBI has arrested the person behind the cyberattack and has them in custody. Capital One is continuing to investigate the incident, but says based on analysis to date it appears unlikely the exposed data was used for fraud or disseminated. The company says that so far, analysis indicates the breach affected about 100 million consumers in the U.S. and another 6 million in Canada.
Capital One analysis indicates no credit card account numbers or log-in credentials were compromised. The largest category of information accessed was information on consumers and small businesses as of the time they applied for a Capital One credit card product from 2005 through early 2019. This included personal information such as names, addresses, ZIP codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income; as well as credit scores, credit limits, balances, payment history, contact information, and “fragments” of transaction data from a total of 23 days during 2016, 2017 and 2018.
In addition, about 140,000 Social Security numbers of Capital One credit card customers, about 80,000 linked bank account numbers of secured credit card customers, and approximately 1 million Social Insurance Numbers of Canadian credit card customers were compromised.
According to Capital One, a “highly sophisticated” individual exploited a specific vulnerability in its infrastructure, which was immediately addressed. The company says an outside researcher informed it of the vulnerability of July 17, and a subsequent internal review revealed the breach on July 19. Capital One is taking additional steps to prevent this vulnerability from occurring again and encrypts data, as well as tokenizes certain sensitive customer information such as Social Security numbers and account numbers. Capital One says its use of a cloud infrastructure did not create any additional exposure to this breach, but helped enable its quick response and resolution.
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Richard D. Fairbank, chairman and CEO of Capital One. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
Capital One expects this incident to generate incremental costs of approximately $100 to $150 million in 2019. Expected costs are largely driven by customer notifications, credit monitoring, technology costs, and legal support.
Beyond the adjusting item in 2019, the company expects any incremental investments in cybersecurity to be funded within its current budget.
Capital One has confirmed that on July 19, 2019, it determined that on March 22 and 23, 2019, an “outside individual” obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers. The financial services provider says it immediately fixed the configuration vulnerability that allowed the unauthorized access to occur and “promptly” began working with federal law enforcement.
According to Capital One, the FBI has arrested the person behind the cyberattack and has them in custody. Capital One is continuing to investigate the incident, but says based on analysis to date it appears unlikely the exposed data was used for fraud or disseminated. The company says that so far, analysis indicates the breach affected about 100 million consumers in the U.S. and another 6 million in Canada.
Capital One analysis indicates no credit card account numbers or log-in credentials were compromised. The largest category of information accessed was information on consumers and small businesses as of the time they applied for a Capital One credit card product from 2005 through early 2019. This included personal information such as names, addresses, ZIP codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income; as well as credit scores, credit limits, balances, payment history, contact information, and “fragments” of transaction data from a total of 23 days during 2016, 2017 and 2018.
In addition, about 140,000 Social Security numbers of Capital One credit card customers, about 80,000 linked bank account numbers of secured credit card customers, and approximately 1 million Social Insurance Numbers of Canadian credit card customers were compromised.
According to Capital One, a “highly sophisticated” individual exploited a specific vulnerability in its infrastructure, which was immediately addressed. The company says an outside researcher informed it of the vulnerability of July 17, and a subsequent internal review revealed the breach on July 19. Capital One is taking additional steps to prevent this vulnerability from occurring again and encrypts data, as well as tokenizes certain sensitive customer information such as Social Security numbers and account numbers. Capital One says its use of a cloud infrastructure did not create any additional exposure to this breach, but helped enable its quick response and resolution.
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Richard D. Fairbank, chairman and CEO of Capital One. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
Capital One expects this incident to generate incremental costs of approximately $100 to $150 million in 2019. Expected costs are largely driven by customer notifications, credit monitoring, technology costs, and legal support.
Beyond the adjusting item in 2019, the company expects any incremental investments in cybersecurity to be funded within its current budget.