Capital One Data Breach Hits 100 Million People: What to Know

News
By published

Suspect arrested

A Capital One bank branch on a city street.
A Capital One bank branch in Washington, D.C. (Image credit: Helen89/Shutterstock)

Updated July 30 to add more details. This story was originally published July 29.

A solo hacker broke into the servers of Capital One Financial Corporation and accessed data pertaining to 106 million credit-card applicants from the United States and Canada, Capital One announced yesterday (July 29) after the close of stock trading in New York.

"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right," Capital One Chairman and CEO Richard D. Fairbank said in a company statement.

The information compromised included, according to the bank, "personal information Capital One routinely collects at the time it receives credit-card applications, including names, addresses, ZIP codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income."

That's enough personal data to give a skilled identity thief a good head start, but if there's any upside to this breach, it's that no credit-card numbers or online account credentials were stolen, the bank said. 

"We will notify affected individuals through a variety of channels," the bank said in its official statement. "We will make free credit monitoring and identity protection available to everyone affected."

The intrusion into Capital One's servers occurred in March, according to the criminal complaint filed against Thompson. Thompson allegedly got into the servers through a configuration error in a web application firewall, and posted some of the stolen data on GitHub, an online software-development repository owned by Microsoft. 

Twitter account header for Erratic account.

The header for the Erratic Twitter account. (Image credit: Twitter)

On July 19, one of those individuals apparently notified Capital One through its bug-bounty program of the existence of the stolen data, and Capital One subsequently confirmed the intrusion. 

Thompson was also apparently the founder of an online social group called Seattle Warez Kiddies, but that page was taken down Tuesday morning (July 30). "Warez" is hacker slang for stolen software or files.

Thompson owns a web-hosting company called Netcrave Communications. There's no website for Netcrave, but there is a Gitlab page. Her apartment was raided and she was arrested July 29.

The criminal complaint infers from Thompson's online correspondences that she intended to distribute the data stolen from Capital One, although the screenshots included in the complaint make it seem that she was trying to give it away rather than sell it.

If convicted, Thompson faces up to five years in federal prison and a $250,000 fine.

Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.