Capital One Data Breach – 100 Million Affected [Update]

Update: Despite Capital One stating that the information was not disseminated the hacker posted it on their public github and at least one person accessed that data (as they reported the breach to Capital One). Wired has more in depth information on this.

Capital One has announced that data of approximately 100 million individuals in the United States (and approximately 6 million in Canada) has been accessed by an outside individual in the latest data breach. The FBI has arrested the individual responsible for the breach and Capital One believes that the information stolen has not been disseminated.

Key Facts

• No credit card numbers or log in details were stolen
• Over 99% of social security numbers were not compromised (140,000 social security numbers were stolen & 80,000 linked bank account numbers). The social security numbers that were stolen were from customers that used their Social Security number as their Employer Identification number in applying for small business credit cards
• Stolen data includes names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income
• Credit credit data was also stolen:
  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

Final Thoughts

It’s unclear how Capital One will be helping affected customers at this stage. It’s good that the individual has been apprehended but I’m always cautious when corporations say that the data has not been disseminated as we do not know on what basis they are making that claim and often times that statement is revised down the line as new information comes to light.

I’ve said it before and I’ll say it again, until the penalties for data breaches are increased they will continue to occur at an alarming rate. The damage that can be done to individuals when this data is stolen can be significant and I don’t believe corporations are investing enough resources into informational security.