Capital One breach – 100 million users’ data stolen

Global financial services company Capital One has just announced a massive data breach:

The breach notification starts in general terms:

Capital One Financial Corporation announced today that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.

The company continues:

Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.

So far, there are no details to suggest what sort of vulnerability was exploited, and therefore no indication of what has now been changed and how permanent or effective the fixes might be.

We don’t know whether it was an unpatched security flaw, an incorrectly configured access control setting, or some other cybersecurity issue.

The breach is notable more for what was taken than what wasn’t, covering:

  • 100,000,000 users in the USA
  • 6,000,000 users in Canada
  • Any consumer or small business who applied for a credit card in the past 14 years (2005 to early 2019).
  • Personal data including names, addresses, zip codes, phone numbers, email addresses, dates of birth, income.

Some customers also had the following information lifted:

  • Credit scores, credit limits, balances, payment history, contact information and more.
  • Social security numbers (SSNs).
  • Bank account numbers linked to credit cards.

The silver lining is that the majority of customers didn’t lose SSNs in the breach – Capital One says that only 140,000 SSNs and 80,000 bank account numbers were acquired.

The bad part of that, of course, is that if you’re one of the 140,000 then you’re a bit more exposed than the other 99.9% of breached customers.

What to do?

Capital One says on its breach report page that “free credit monitoring and identity protection is available to everyone affected” – there’s a phone number on the web page if you want to find out more.

According to reports, a hacker called Paige Thompson has been arrested in relation to this crime, apparently after boasting online about their actions.

Presumably, the speedy arrest is what has led Capital One to say that it doesn’t think the data has been sold on and therefore that the risk is low.


  • Keep a careful eye on all your statements. Report suspicious transactions immediately.
  • If you have signed up to a credit reporting service, take the time to read the reports you receive. They’re there to help you spot account problems early on, not merely so you can track them down later!
  • Revisit the Capital One info page in a day or two. The company says that “the investigation is ongoing and analysis is subject to change.”