Capital One data breach hits about 6 million people in Canada, 100 million in U.S.
Capital One Financial Corp announced Monday that the FBI has arrested an alleged hacker who reportedly accessed the personal information of as many as six million people in Canada and 100 million people in the United States.
That personal information included names, addresses, phone numbers, postal codes, email addresses, birthdates and self-reported income.
In Canada, where it provides Mastercard credit cards for Costco Wholesale’s Canadian retail network, Capital One said approximately one million social insurance numbers (SIN) were compromised.
The information exposed in the hack was largely linked to consumers and small businesses that applied for Capital One credit card products between 2005 and early 2019, the company said in a news release.
Also exposed were customer status data, such as credit limits, scores, balances and payment histories.
However, Capital One also said no one’s credit card account numbers or login information was compromised.
WATCH: Capital One data breach impacts 6 million people in Canada
Capital One discovered the hack on July 19 and the person believed to be responsible is in custody.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Capital One chairman and CEO Richard Fairbank said in a statement.
“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Capital One is offering free credit monitoring and identity protection for people who have been affected.
The U.S. Department of Justice said 33-year-old Paige A. Thompson, alias “erratic,” was detained in connection with the hack, pending a hearing that’s expected to happen on Thursday.
WATCH: July 22 — Equifax to pay up to $700M to U.S. as result of 2017 data breach
Thompson was a systems engineer at Amazon Web Services between 2015 and 2016, about three years before the breach took place. While that service is used by Capital One, there is no evidence that Amazon’s cloud system was involved in the breach.
A resume referenced in the criminal complaint named a “Paige Thompson” who worked at the Cloud Computing Company from 2015 to 2016.
Capital One uses servers provided by the Cloud Computing Company, the complaint added.
Thompson was arrested on a criminal complaint that charged computer fraud and abuse for intruding on Capital One’s stored data.
The criminal complaint charged that Thompson posted on GitHub — which is owned by Microsoft — about having stolen info from servers that stored data for Capital One.
She allegedly managed to do this thanks to a “misconfigured web application firewall” that allowed the data to be accessed.
A GitHub user notified Capital One on July 17 that the data may have been compromised.
WATCH: Sept. 15, 2017 — Equifax reportedly knew for months about cyber-security vulnerability
Capital One contacted the FBI two days later, once it learned that someone had intruded on that data.
Investigators identified Thompson as the alleged hacker. The FBI raided Thompson’s residence Monday and seized digital devices that held copies of the data.
If found guilty, Thompson could face a $250,000 fine and up to five years behind bars.
These charges have not been proven and anyone charged is presumed innocent until proven guilty beyond a reasonable doubt.
In its statement, Capital One said it “immediately fixed the configuration vulnerability” that allowed for the hack to happen.
WATCH: Sept. 8, 2017 — Massive cyber-attack at Equifax could leave millions vulnerable
The criminal complaint outlines how investigators linked Thompson to the hack.
They examined a file known as the “April 21 File” on GitHub and found that it had been posted on an address that included Thompson’s full name.
The “April 21 File” contained code for three commands that allowed access to Capital One files at the Cloud Computing Company.
Clicking on that name in the GitHub page’s address took users to a main GitHub page that also included Thompson’s name.
The profile attached to that page also hosted a link to a GitLab page — a page that included a resume for someone named “Paige Thompson.”
The resume said Thompson was a systems engineer who worked for the Cloud Computing Company over the course of two years.
“Based on this evidence, I believe that Paige A. Thompson is the user of the GitHub and GitLab accounts described therein,” an investigator said in the criminal complaint.
The investigator went on to say that he looked into a Meetup group that he said Thompson had used.
The group’s organizer was identified as “Paige Thompson (erratic),” including an alias that matched a Twitter account that had been linked to Thompson.
On June 27, a Slack user posted under the name “erratic” responded to someone else, saying: “don’t go to jail plz.”
“Erratic” then responded by describing the method by which Capital One’s data was accessed in the first place, according to the criminal complaint.
Other Canadian privacy leaks
In Canada, Desjardins Group revealed a data breach in June that saw the leak of names, addresses, birthdates, social insurance numbers and other private information from roughly 2.7 million people and 173,000 businesses.
Desjardins, a Quebec-based co-operative, said a single employee, who has been fired since the breach was detected in December 2018, was responsible. A police investigation into the incident is ongoing.
In 2017, a data breach at Equifax, one of the major credit reporting companies, exposed the Social Security numbers and other sensitive information of roughly half of the U.S. population and about 19,000 Canadians.
Canada’s Office of the Privacy Commissioner concluded in April that the company fell short of their privacy obligations to Canadians, including poor security safeguards and holding information too long, but it did not level fines.
Last week, Equifax agreed to pay at least $700 million to settle lawsuits over the breach in a settlement with federal authorities and states. The agreement includes up to $425 million in monetary relief to consumers.
The average cost of a data breach in the U.S. last year was just under $8 million, according to a study by IBM Security and Ponemon Institute.
— With files from Gene Johnson, The Canadian Press, and Alex Veiga, The Associated Press
© 2019 Global News, a division of Corus Entertainment Inc.