Capital One Financial Corp., the North American bank holding giant, announced on Monday that a hacker had managed to gain access to the personal information of more than 6 million Canadians and 100 million Americans.
The company said it discovered the hack on July 19. The data was taken from Capital One’s credit card applicants and included names, addresses, zip codes, phone numbers, credit scores, and balances. Up to 140,000 social security numbers and 80,000 linked bank account numbers in the United States were also accessed by the hacker. In Canada, the social security numbers of 1 million customers were compromised.
According to its Canadian website, Capital One was made aware of the security breach on July 17 by an external researcher through the company’s responsible disclosure program. The tip led to the company beginning its own investigation, and eventually determining the breach two days later.
The FBI was involved in the case and has arrested the hacker behind the incident. Paige Thompson, a 33-year-old former software engineer, was charged with computer fraud and abuse by the U.S. District Court in Seattle, after cyber investigators were able to trace the source of the hack and execute a search warrant at her residence.
Thompson, who goes by the alias “erratic” online, allegedly posted about her successful hack on the software development platform GitHub, which led to the discovery of the incident. A press release on the United States Department of Justice website says she was able to gain access to the data through a misconfigured firewall.
Although Capital One said it is unlikely the information was used for fraud, they are offering free identity theft insurance as well as credit monitoring services to all affected customers.
“Safeguarding our applicants and customers’ information is essential to our mission and our role as a financial institution,” the company said on its website. “We have invested heavily in cybersecurity and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses.”
Capital One’s chairman and CEO, Richard D. Fairbank, also issued a formal apology regarding the incident. “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Fairbank said. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Following the announcement of the security breach, Capital One’s stock dropped nearly 7% as of the morning of July 30.
The company said it will be notifying the individuals who were impacted by the hack through “a variety of channels,” and encourages customers to set up account alerts to keep track of activity so that they can further protect their information.
As for additional steps, Capital One advises Canadians to order a copy of their credit report from credit bureaus Equifax Canada or TransUnion Canada. The reports can be reviewed for suspicious activity, such as unfamiliar company inquiries or unauthorized accounts being opened, and contains personal data such as social insurance numbers that can be checked for accuracy. Any errors can be brought to the attention of the credit bureaus for correction.
Thompson made her first appearance in the U.S. District Court in Seattle on July 29, and will be attending a hearing scheduled for Aug. 1.