Capital One settles for USD 190 million following data breach affecting 106 million customers

A DEEP DIVE IS NOW AVAILABLE FOR THIS LOSS EVENT.

On 29 July 2019, Capital One announced that an external party had gained unauthorised access to the personal information of 106 million credit card applicants and customers by exploiting a configuration vulnerability in its infrastructure. On the same day, the US Department of Justice (DoJ) announced that the Federal Bureau of Investigation (FBI) had arrested the individual responsible for the hack. Capital One said that it expected the cost of the incident to be up to USD 150 million. On 23 December 2021, Bloomberg reported that Capital One had reached a USD 190 million (EUR 170.7 million) settlement in a class action filed by customers over the data breach.

According to Capital One’s press release, the compromised information included details it routinely collected as part of credit card applications and related to 100 million individuals in the US and 6 million in Canada. Bloomberg reports that the information had been held on servers rented from Amazon Web Services (AWS).

The majority of the information related to consumers and small business who had applied for credit cards between 2005 and early 2019. This included names, addresses, zip/postal codes, phone numbers, email addresses, dates of birth and self-reported income. Portions of credit card customer data such as credit scores, credit limits, balances, payment history, contact information and fragments of transaction data from a total of 23 days during 2016, 2017 and 2018 were also reportedly accessed. Furthermore, around 140,000 social security numbers (SSNs) of credit card customers, 80,000 linked bank account numbers of secured credit card customers, and 1 million Social Insurance Numbers (SINs) of Canadian credit card customers had also been accessed.

Capital One assured customers that no credit card account numbers or login credentials had been compromised, and over 99 per cent of SSNs had not been accessed. The firm stated that although it encrypted data as standard, the hacker had been able to decrypt the data. However, data which the firm had tokenised, most notably SSNs and account numbers, remained protected.

According to the DoJ, the hacker gained access to Capital One’s servers through a misconfigured web application firewall. Bloomberg reports that the hacker posted about the theft of information from Capital One’s servers on GitHub, a website that allows users to manage and store project revisions, mostly related to software development. On 17 July 2019, another GitHub user notified Capital One that some leaked data had been posted on the site, and the company launched an internal investigation leading to the discovery of the incident on 19 July 2019. Capital One reported that the intrusion on its servers had occurred on 22 March 2019 and 23 March 2019. According to the FBI affidavit, the hacker had accessed the stolen data at various times between 12 March 2019 and 17 July 2019, and a file on the hacker’s GitHub account contained more than 700 folders and buckets of data.

Upon discovering the breach, Capital One immediately addressed the vulnerability, verified that no other instances had occurred, and promptly began working with federal law enforcement. The firm stated that it was able to quickly diagnose and fix the problem and determine its impact thanks to its cloud operating model.

Capital One stated that it would notify the affected customers individually and make credit monitoring and identity protection available to everyone affected. Based on its analysis as of 29 July 2019, Capital One did not believe that the compromised information was used for fraudulent purposes or disseminated by the perpetrator, but investigations were ongoing. Capital One said that it had augmented its routine automated scanning to search for the problem on a continuous basis and would continue to invest heavily in cybersecurity.

According to its press release, Capital One expected the incident to generate incremental costs of approximately USD 100 million to USD 150 million in 2019, largely driven by customer notifications, credit monitoring, technology costs and legal support. Capital One reportedly carries insurance for certain costs associated with a cyber risk event which is subject to a USD 10 million deductible and standard exclusions, and carries a total coverage limit of USD 400 million.

On 29 July 2019, the DoJ announced that software engineer Paige Thompson had been arrested and charged with computer fraud and abuse in connection with the intrusion of Capital One’s servers. According to Bloomberg, Thompson had previously worked for AWS, but the breach did not require insider knowledge.

On 30 July 2019, Reuters reported that the New York attorney general’s office would begin an immediate investigation into the data breach, and ensure that victims of the breach in New York obtained relief. Additionally, Law360 reported that Capital One credit card customers had filed three class action complaints against the firm in relation to the incident. Each complaint stated that Capital One had failed to put in place proper security practices to protect sensitive customer information.

As of 30 July 2019, investigations are ongoing.

On 23 December 2021, Bloomberg reported that Capital One had agreed to pay USD 190 million to settle a class action suit filed over the data breach. The settlement reportedly covered 98 million customers. Both Capital One and AWS have denied all liability.

On 17 June 2022, the DoJ announced that Thompson had been convicted of seven crimes connected to the hack and data breach at Capital One. According to her statements in online forums, Thompson used a tool she had built to scan AWS accounts to look for misconfigured accounts. She apparently subsequently used those misconfigured accounts to hack into and download data from more than 30 entities, including Capital One, and to steal the personal information of more than 100 million people. Thompson reportedly also installed cryptocurrency mining software on new servers with the income from the mining going to her cryptocurrency wallet. Her scheme reportedly took hundreds of hours of advanced planning. Thompson was found guilty of wire fraud, five counts of unauthorised access to a protected computer, and damaging a protected computer. 

UPDATES

23 December 2021: Bloomberg reports USD 190 million class action settlement. Loss amount added. Headline and paragraph 1 amended. Paragraph 12 added. Link added to digest 9686.

17 June 2022: Thompson is found guilty of several cybercrimes. Paragraph 13 added.