A lone hacker has accessed the personal data of more than 100 million customers of America’s fifth-largest credit card issuer, Capital One, in the biggest data breaches ever in the financial services sector.
According to the bank and the US Department of Justice, a 33 year-old software engineer in Seattle, Paige Thompson, hacked into a server holding customer information for Capital one and gained access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers.
And she had plenty of time: Investigators said Thompson access that server from March 12 to July 17.
If found guilty, she could face a sentence of up to five years in prison and a $250,000 fine, arguably a fairly small price to pay for the amount of data stolen.
So, are you a Capital One customer? And if so, are you at risk?
Yes, if you applied for a credit card from the US bank between 2005 through 2019, according to a Capital One statement.
But the bank says that credit card account numbers were not part of the data heist. And even though 140,000 Social Security Numbers were breached, Capital One points out that over 99% of Social Security numbers were not affected.
"No credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised," Capital One stated.
However, the breach did include names, addresses, ZIP codes, phone numbers, email addresses and birthdates.
Capital One said it would notify people affected by the breach and will make free credit monitoring and identity protection available.
The company expects the hack will cost it approximately $100 million to $150 million, which includes the cost of notifying customers, credit monitoring, tech costs and legal support. Related: Another Surprising Industry Falls Victim To Ongoing Trade War Chaos
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Richard D. Fairbank, chairman and CEO, in a statement. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
Thompson, the hacking suspect, previously worked for Amazon Web Services, which hosted the Capital One database.
Thompson has been arrested and charged with one count of computer fraud and abuse. Investigators were able to identify her because she left an online footprint and boasted about the hack.
The Justice Department has referred to Thomspon as “erratic”.
Thompson posted the information on GitHub, using her own name, adding that she also indicated on social media that she had Capital One information.
The FBI noticed her activity on Meetup and used it to trace her other online activities, eventually linking her to posts describing the data theft on Twitter and Slack.
“I’ve basically strapped myself with a bomb vest,” Thompson wrote in a Slack post, according to prosecutors, “dropping capital ones dox and admitting it.”
This latest hack follows a massive data breach at Equifax data breach in 2017 involving the Social Security numbers and home addresses of nearly 148 million Americans.
Equifax has agreed to pay at least $575 million and $700 million to the US Federal Trade Commission, the Consumer Financial Protection Bureau, 48 states, DC and Puerto Rico over the breach.
Initially, there would be a $300-million fund to compensate affected consumers who purchased credit-monitoring services from Equifax. Equifax will also pay $175 million to states and districts, and $100 million in civil penalties to the Consumer FInancial Protection Bureau.
By Michael Kern for Safehaven.com
More Top Reads From Safehaven.com