Skip to main content

Back to Blog

The CapitalOne Cyber Security Incident

Capital One Financial Corporation just disclosed a cyber security incident that impacts about 100 million people in the U.S. and 6 million in Canada.  

The customer data was illegally accessed sometime between March 12 and July 17, according to federal prosecutors.

According to Capital One’s site, the largest category of information that was accessed was from consumers and small businesses that applied for a credit card from 2005 through early 2019.  The alleged perpetrator of this incident was arrested today. 

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Richard D. Fairbank, Chairman and CEO, Capital One

What was exposed for 100 million Americans and 6 million Canadians?

The majority of the exposure included Personally Identifiable Information (PII) that is routinely collected at the time the company receives credit card applications: names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. It also included some customer data with credit scores, credit limits, balances, payment history, contact information and fragments of transaction data from a total of 23 days during 2016, 2017 and 2018. 

A subsegment of sensitive data was also exposed for some individuals:

  • About 80,000 linked bank account numbers of secured credit card customers
  • About 140,000 Social Security numbers of American credit card customers
  • About 1 million Social Insurance Numbers for Canadian credit card customers.

How was this attack executed?

According to ARSTechnica, FBI Special Agent Joel Martini wrote a criminal complaint which indicated that a GitHub account belonging to Paige A. Thompson showed that earlier this year, someone exploited a firewall vulnerability in Capital One’s network. This exploit allowed an attacker to execute a series of commands on the bank’s servers.  One command executed in the firewall hack allowed the intruder to uncover credentials for an administrator account. The command in turn enabled access to bank data stored by the unnamed cloud computing company. Other commands allowed the attacker to enumerate folders stored on the service and to copy their contents. IP addresses and other evidence ultimately showed that Thompson was the person who exploited the vulnerability and posted the data to Github. Thompson allegedly used a VPN from IPredator and Tor in an attempt to cover her tracks. At the same time, Martini said that much of the evidence tying her to the intrusion came directly from things she posted to social media or put in direct messages.

Capital One’s Response

Capital One has a disclosure program which provides an avenue for ethical security researchers to report vulnerabilities directly to them. The configuration vulnerability was reported to them by an external security researcher on July 17, 2019. Through an internal investigation, they verified the incident on July 19, 2019.  The incident occurred on March 22 and 23, 2019. The data was encrypted but the unauthorized access also enabled the decrypting of data. However, some data fields were tokenized, such as Social Security numbers and account numbers. Tokenized data remained protected.

Capital One asserts that a highly sophisticated technology expert was able to exploit a specific configuration vulnerability in their infrastructure. After this was discovered, they immediately addressed the configuration vulnerability and verified there are no other instances in their environment. They have also augmented their routine automated scanning to look for this issue continuously and is not blaming this vulnerability on their cloud-based infrastructure. However, they credit the cloud operating model for the speed with which they were able to diagnose and fix this vulnerability, and then determine its impact.

What are the implications for victims?

Unfortunately this incident goes beyond just privacy. While the majority of victims did not have their Social Security numbers and bank account numbers exposed, the PII data above is still a treasure-trove of information for identity thieves.  If a criminal can map an individual’s data to Social Security numbers, bank accounts and username/password credentials, it can become easy to steal their identity to commit account takeover and fraud.  It is unknown at this time what Thompson did with all these records and if she sold them on the dark web. However, evidence from past data breaches suggest this type of data is eventually leaked, putting more individuals and businesses in jeopardy.

What steps should individuals take to protect themselves?

Until more is known about this case, it is important for US and Canadian citizens impacted to watch for signs of identity theft. An easy way to do this is to sign up for identity theft protection through a service like IDShield.  According to Capital One’s notification, they also plan to offer free credit monitoring and identity protection to everyone affected but that can take time to set up.   

In the meantime, consumers can get a free credit report each year through to see their credit report. Consumers should check their online accounts for any signs of fraudulent activity. They should also review annual earnings statement from the Social Security Administration (SSA) to determine if anyone has been using their SSN. Lastly, consumer should review your bank, credit card and financial statements regularly.

Consumers should be reviewing their identity and data on a regular basis anyways, but it is especially important after these types of security incidents.  For more information on identity theft, see