Capital One Was Hit by a Massive Data Breach - Here's What You Need to Know

If you've applied for a credit card at Capital One between 2005 and 2019, you are very likely to be affected by the data breach the US bank announced yesterday. Capital One admitted that a hacker has accessed copious amounts of personal information related to 100 million people in the US and a further 6 million Canadians. Fortunately, the exposed data doesn't include any card details or usernames and passwords, but it does contain most of the information a typical customer provides when they apply for a credit card. This means that the names, addresses, phone numbers, emails, dates of birth, and reported incomes of the victims were leaked.

The hacker also obtained the credit scores, credit limits, and payment histories of some credit cardholders. In addition to this, Capital One discovered that 140 thousand US Social Security numbers, 80 thousand linked bank account numbers, as well as the Social Insurance Numbers of approximately 1 million Canadians, were accessed.

The police already have a suspect

The bank is in the process of contacting all affected customers and will offer free credit monitoring and identity theft protection to all victims, which is pretty typical for this type of incidents. What is unusual is to have a prime suspect in custody at such an early stage of the investigation. In the case of the Capital One data breach, however, the FBI agents have already apprehended the person who they think might be responsible. Her name is Paige A. Thompson, she goes by the alias "erratic", and her hearing is scheduled for August 1.

It's still early to say whether or not Paige Thompson really has done the things she is charged with. The court will need to decide whether this is the case, and until then, we can do little more than see how she ended up in custody.

How did the FBI get to Paige Thompson?

Capital One's systems were first breached in March, but its security team remained none-the-wiser for the next four months. On July 17, they were tipped off by a GitHub user who used the bank's responsible disclosure program to inform them of some peculiar data he had found on the world's biggest code hosting platform.

The bank started an investigation, and within two days, it knew that a misconfigured web application allowed the exfiltration of quite a lot of customer data. The hole was plugged, and the authorities were called.

After taking a look at the reported GitHub data and linking the account it was posted on to some profiles on LinkedIn and GitLab, FBI agents were pretty confident that the person they were looking for was Paige Thompson. Logged IP addresses that belonged to Thompson's VPN provider fueled their suspicion further, and after the arrest, they seized her computers which allegedly contain a copy of the Capital One data as well as some pretty incriminating Twitter and Slack chats. If what FBI says is true, Thompson could be facing a prison sentence of up to five years, as well as a $250 thousand fine.

What can victims do?

The correspondence found on Thompson's Twitter and Slack accounts suggests that she was ready to start disseminating the stolen data. The good news is, according to Capital One's analysis, "it is unlikely that the information was used for fraud". Nevertheless, you mustn't ignore the problem. If you've been affected by the breach, you could do worse than take Capital One up on its offer for free credit monitoring and identity theft protection. Keeping a close eye on your balance sheet and your bank statements is as important as ever, and if you see any anomalies, you must get in touch with the right people as quickly as possible. The most important thing is to exercise more caution than usual and to try and be as vigilant as possible.