The banking giant has revealed that the hack, which took place on March 22 and 23 this year, saw names, addresses, phone numbers, emails, dates of birth, and self-reported incomes of around 100 million Americans, and 6 million in Canada, stolen. 140,000 people had their social security numbers accessed, and about 80,000 had their bank account details compromised. No credit card numbers or login credentials were taken.
The information came from credit card applications from between 2005 and 2019. Portions of customer data including credit scores, credit limits, balances, payment history, and contact information were also accessed, along with fragments of transaction data totaling 23 days during 2016, 2017 and 2018.
According to the US Justice Department, the hacker behind the attack was arrested yesterday. It names 33-year-old Paige A. Thompson, also known as Erratic; a former Amazon Web Services engineer.
The criminal complaint states that Thompson exploited a "misconfigured web application firewall," allowing her to gain credentials for an administrator account. She was then able to copy the contents of Capital One folders that were stored under contract on Amazon Web Services.
Thompson posted the stolen data on Github, which, along with Slack messages, Twitter DMs, and IP logs, helped authorities tie her to the hack. Her bail hearing is set for Thursday, and she is facing a charge of computer fraud and abuse, which carries a maximum penalty of five years in prison and a $250,000 fine.
Capital One said it has fixed the vulnerability and is offering free credit monitoring and identity theft protection to all, though it did add it's "unlikely that the information was used for fraud or disseminated by this individual." You can find out more from the company's FAQ.
Image credit: Roman Tiraspolsky via Shutterstock