Capital One bank data breach affects 100m applications

30 Jul 2019

Image: © Oleksandr/

Details have emerged of a cyberattack levelled against financial company Capital One that affected 100m customer applications.

Financial corporation Capital One has confirmed that its systems were hacked. The attack, which targeted personal information relating to Capital One customers and people who had submitted credit card applications, was first discovered on 19 July, although court documents claim that the actual hack likely took place on 22 or 23 March.

The firm estimates that 100m people in the US and 6m in Canada were affected, but maintains that no credit card account numbers or login credentials were compromised, and that more than 99pc of social security numbers were not breached.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard Fairbank, chair and CEO, in a statement on the company’s website. “I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right.”

The threat actor accessed information routinely collected by Capital One when it processes credit card applications, such as names, addresses, postal codes, phone numbers, email addresses and self-reported income. The cybercriminal also obtained consumer status data such as credit scores and credit limits, and fragments of transactions during a select number of days in 2016, 2017 and 2018.

In total, Capital One said that around 140,000 US social security numbers and roughly 80,000 US linked bank account numbers were leaked, as were approximately 1m Canadian social insurance numbers.

The US Department of Justice has confirmed that a former software engineer at a Seattle tech company, Paige A Thompson, was arrested for the attack and will be subject to a hearing on 1 August 2019.

The complaint against Thompson claims that she posted details about the theft of the information, which she allegedly obtained through a misconfigured web application firewall, on source code hosting site GitHub. The FBI subsequently seized electronic storage devices from Thompson’s home that contained a copy of the stolen data.

Sure cyberattack

In the UK, meanwhile, details are emerging of a cyberattack that impacted the bank details of around 400 members of both current and former staff of mobile phone company Sure.

The breach impacted workers for the telecoms firm on the Isle of Man, Guernsey and Jersey, and included personal data such as names, addresses, account numbers and sort codes. No existing customer data was stolen.

The breach is thought to have originated from a targeted phishing attack aimed at a staff email account.

“The loss of data was the result of human error and only affected one staff email account, which our systems identified and subsequently shut down. Sure’s systems were never compromised,” said Tim Stonebridge, chief security officer at Sure.

“While the data that has been stolen cannot be used in isolation, we have advised those affected to be extra-vigilant. We’d like to apologise to all those who have been affected. Security is of paramount importance to Sure and our employees undergo regular cybersecurity training.”

Eva Short was a journalist at Silicon Republic