The details of over 100 million Capital One customers across North America have been hacked.
The financial services company said the hacker didn't access credit card account details, but obtained names, addresses and phone numbers of those who applied for credit card products, while 80,000 linked bank account numbers and 140,000 social security numbers were compromised across the USA. A further one million social insurance numbers in Canada were accessed.
A statement released by Capital One said that "a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure."
The configuration vulnerability was reported to the company by an external security researcher on July 17. Capital One began its own internal investigation and on July 19 discovered "unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers. This occurred on March 22 and 23, 2019."
While Capital One encrypts its data as standard procedure, the unauthorized access enabled the decrypting of data.
It is also the company's practice to "tokenize select data fields, most notably Social Security numbers and account numbers. Tokenization involves the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data. Tokenized data remained protected."
In the wake of the hack, Seattle technology company software engineer, 33yo Paige Thompson was arrested on July 29. Court documents claim she bragged about the breach online, as mentioned in a statement by the US attorney's office: "On July 17 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft." Thompson faces a maximum prison sentence of five years and a US$250,000 fine.
