Massive Data Breach Hits Capital One, Affecting More than 100 Million Customers

By Kelly Tyko, USA TODAY

30 July 19

apital One said Monday that personal information, including the Social Security and bank account numbers of more than 100 million individuals, were compromised in a massive data theft that led to the arrest of a Seattle woman. 

Paige A. Thompson, 33, a former software engineer, is accused of stealing data from Capital One credit card applications in what is one of the top 10 largest data breaches ever, according to USA TODAY research.

The FBI arrested Thompson on Monday for the theft, which occurred between March 12 and July 17, court records show. Among the data allegedly collected from a company cloud-based server were Social Security and bank account numbers. 

According to the Department of Justice, Thompson made her initial appearance in U.S. District Court in Seattle and has been detained pending an Aug. 1 hearing. Computer fraud and abuse is punishable by up to five years in prison and a $250,000 fine.

The bank said "the largest category of information" accessed from applicants who applied for credit cards between 2005 and 2019 was personal information including names, addresses, phone numbers, email addresses, dates of birth and self-reported income.

About 140,000 Social Security numbers were accessed and 80,000 bank account numbers from credit card customers, Capital One said.

Other data obtained includes credit scores, limits, balances and “fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.”

Capital One said in a news release that “100 million individuals in the United States and approximately 6 million in Canada” were affected. The bank also set up a consumer website about the breach at www.capitalone.com/facts2019.

The breach was discovered on July 19 and the company said it “immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement.”

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," Richard D. Fairbank, Capital One chairman and CEO, said in a statement. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

Last week, Equifax reached a deal with the Federal Trade Commission, Consumer Financial Protection Bureau and 50 states on the 2017 breach that affected approximately 147 million Americans.

The deal calls for Equifax to pay at least $575 million, including $300 million for free credit monitoring services, $175 million to states, the District of Columbia and Puerto Rico and $100 million in penalties to the CFPB.

And Monday, the Los Angeles Police Department reported a data breach exposing personal information of thousands of officers and applicants.  

Capital One said in the release the incident is expected to cost between $100 to $150 million in 2019. Free credit monitoring and identity protection will be available to everyone affected, the company said.

Matt Schulz, chief industry analyst at CompareCards.com, said the breach is “yet another reminder of why it is so important to build fraud detection checks into your regular routine.”

He said bank accounts tied to secured credit cards also were compromised.

“These cards are favorites for those who are getting started with credit or who are rebuilding their credit and often have very little financial margin for error,” Schulz said. “There may not be a huge amount of money in these accounts, but it’s very important for cardholders with those accounts to keep as close a watch for fraud as any other type of credit cardholder.”