The personal details of more than 100 million Capital One credit card holders in North America have been stolen in a data breach.

More than one million social insurance numbers, 140,000 social security numbers and 80,000 bank account numbers were compromised during the cyber-attack.

Other information accessed during the breach includes names, addresses, phone numbers, emails, dates of birth, and self-reported income of customers who applied for credit products from the company between 2005 and 2019, as well as some credit and transaction data.

The FBI has made one arrest in its investigation of the incident – a 33-year-old former Amazon Web Services software engineer who has made an initial appearance in federal court in Seattle and remains in custody.

The news comes just a week after credit scoring giant Equifax agreed a $700m settlement with US authorities over its own data breach in 2017.

Capital One CEO Richard Fairbank said he was “deeply sorry for what has happened”.

“I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right,” he added.

 

Data breach will prove a costly incident for Capital One

The Virginia-based financial services company says the vulnerability has now been fixed, and that it is “unlikely” the stolen data has either been used for fraud or distributed to third parties.

Approximately 100 million individuals in the US and a further six million in Canada are reported to have been affected, with Capital One offering to provide free credit monitoring and identity protection to the people involved.

capital one breach
Millions of North American customers were affected by the breach

The attack occurred in March this year but it wasn’t until 19 July when Capital One discovered the breach – two days after being tipped off about the vulnerability in its system.

Costs relating to the incident are expected to run as high as $150m during the course of 2019 for the financing of ongoing customer notifications, credit monitoring, technology costs and legal support.

 

Configuration of cloud storage by Capital One under scrutiny after breach

Cyber security expert James Barrett, EMEA senior director at network monitoring firm Endace, believes the long-term cost to Capital One could be “huge”, taking into account the additional reputational damage caused by security lapses such as this one.

The fact that the data was stolen from cloud-based storage has prompted some scrutiny of Capital One’s digital security habits, although the company has dismissed the issue.

Mr Barrett said: “Visibility is the first step to security.

“Clouds by their very nature are opaque. They provide the means to get to visibility and they have been improving recently, but even so I’m not convinced that companies implement that in a meaningful way.

“There are question marks about the way organisations implement cloud strategies when it comes to security – especially when dealing with personally identifiable information.”

capital one
Capital One says cloud infrastructure was not the cause of the breach

Capital One maintains that having the hacked information stored on the cloud was not the cause of the breach, however, suggesting this type of vulnerability is “not specific” to cloud storage.

In a statement, it said: “The elements of infrastructure involved are common to both cloud and on-premises data centre environments.

“The speed with which we were able to diagnose and fix this vulnerability, and determine its impact, was enabled by our cloud operating model.”

The arrested person alleged to have perpetrated the attack has been named in court proceedings as Paige Thompson, a former employee of Amazon Web Services – the company from which Capital One sources its cloud services.

Amazon spokesman Grant Milne said the Capital One breach would not have required “insider knowledge”, while court papers filed in the case against Ms Thompson suggested a “firewall misconfiguration” was to blame for the security lapse.

Mr Barrett added: “The attacker bragged about what she had done on various forums.

“So if Capital One hadn’t been tipped off about it, then how long would it have taken to discover the breach?

“From the details that have emerged, it looks like better real-time analysis of log and network data would have revealed this breach much sooner.”