Capital One Data Breach Hits 100 Million People: What to Know

A Capital One bank branch on a city street.
A Capital One bank branch in Washington, D.C. (Image credit: Helen89/Shutterstock)

Updated July 30 to add more details. This story was originally published July 29.

A solo hacker broke into the servers of Capital One Financial Corporation and accessed data pertaining to 106 million credit-card applicants from the United States and Canada, Capital One announced yesterday (July 29) after the close of stock trading in New York.

"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right," Capital One Chairman and CEO Richard D. Fairbank said in a company statement.

The information compromised included, according to the bank, "personal information Capital One routinely collects at the time it receives credit-card applications, including names, addresses, ZIP codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income."

That's enough personal data to give a skilled identity thief a good head start, but if there's any upside to this breach, it's that no credit-card numbers or online account credentials were stolen, the bank said. 

About 1 million Canadian Social Insurance Numbers and 160,000 U.S. Social Security numbers were stolen, but millions of other such numbers were obscured in a manner that the hacker could not decrypt. About 77,000 bank-account numbers were stolen.

"We will notify affected individuals through a variety of channels," the bank said in its official statement. "We will make free credit monitoring and identity protection available to everyone affected."

MORE: Best Identity Protection Services

The U.S. Department of Justice announced that a woman named Paige A. Thompson, 33, had been arrested in Seattle and charged with a single violation of the Computer Fraud and Abuse Act in connection with the Capital One intrusion.

The intrusion into Capital One's servers occurred in March, according to the criminal complaint filed against Thompson. Thompson allegedly got into the servers through a configuration error in a web application firewall, and posted some of the stolen data on GitHub, an online software-development repository owned by Microsoft. 

Media reports said Capital One was using Amazon Web Services servers to handle its data, and Thompson's resume, which she apparently posted online, states that she worked for Amazon's cloud-computing division in 2015 and 2016. 

The criminal complaint says Thompson, who used the online handle "erratic" on GitHub, Slack and Twitter, corresponded with other individuals on those platforms discussing the data she had taken from Capital One. In some instances, she used her real name.

Twitter account header for Erratic account.

The header for the Erratic Twitter account. (Image credit: Twitter)

On July 19, one of those individuals apparently notified Capital One through its bug-bounty program of the existence of the stolen data, and Capital One subsequently confirmed the intrusion. 

Thompson was also apparently the founder of an online social group called Seattle Warez Kiddies, but that page was taken down Tuesday morning (July 30). "Warez" is hacker slang for stolen software or files.

Thompson owns a web-hosting company called Netcrave Communications. There's no website for Netcrave, but there is a Gitlab page. Her apartment was raided and she was arrested July 29.

The criminal complaint infers from Thompson's online correspondences that she intended to distribute the data stolen from Capital One, although the screenshots included in the complaint make it seem that she was trying to give it away rather than sell it.

If convicted, Thompson faces up to five years in federal prison and a $250,000 fine.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.