Capital One Financial Corporation announced a data breach that affected approximately 100 million individuals in the United States and approximately 6 million in Canada.

Capital One says it immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible and that person is in custody. "Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate," says a press release

"No credit card account numbers or log-in credentials were compromised and over 99 percent of Social Securitynumbers were not compromised," the press release says. 

This information included personal information Capital Oneroutinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including: 

  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

The press release says, "No bank account numbers or Social Security numbers were compromised, other than:

  • About 140,000 Social Security numbers of credit card customers
  • About 80,000 linked bank account numbers of secured credit card customers

For Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident". Capital One will notify affected individuals through a variety of channels and will make free credit monitoring and identity protection available to everyone affected.

Jack Kudale, founder and CEO of Cowbell Cyber, says, “The latest known breach at Capital One highlights the importance of addressing the gap in insurability. It appears that there will be over-whelming attention to the S3 buckets where this information was stored. As the enterprise risk managers around the world now focus on response and recovery, the shift from traditional prevention and detection budgets will quickly shift to insurance.”

Chris Morales, head of security analytics at Vectra, “It’s still early, and I think this one is going to develop out a bit more. However, I wouldn’t put it at the same level as the Equifax breach. What was exploited was a website vulnerability that gave access to credit card applications, including 140,000 social security numbers and 80,000 linked bank account numbers. I think it will need to play out in the next day or so. While these numbers sound big, it was attributed to a specific person who was already arrested. I’m curious if the data was ever released to the public.”