Capital One said Monday that the data of 100 million U.S. customers was illegally accessed in a breach that federal prosecutors said was perpetrated by a Seattle woman who allegedly hacked the bank’s server at a cloud-computing company.
Six million Canadian customers were also affected.
Federal prosecutors said that sometime between March 12 and July 17, Paige A. Thompson, 33, of Seattle hacked Capital One’s rented server space.
The Department of Justice alleges that Thompson “posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data.”
The agency said that Thompson accessed the data by exploiting a misconfigured firewall. Capital One said in a statement that it had fixed the problem and that the data was likely not used for fraud or distributed by the hacker.
The company said that data from consumer and small business credit card applications filed between 2005 and 2019 made up the largest portion of stolen information. Applicants’ names, addresses, phone numbers and dates of birth, as well as financial data including self-reported income, credit scores and fragments of transaction history were all part of the theft.
The bank said around 140,000 Social Security numbers and 80,000 bank account numbers were also accessed.
It said “no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised.”
The company said it will offer free credit monitoring and identity protection to those affected and estimated the breach would cost as much as $150 million.
Thompson was charged with a single count of computer fraud Monday and faces a maximum penalty of five years in prison and a $250,000 fine.
Capital One recently began migrating its data to the cloud to lower costs and plans to completely exit its data centers by 2020.
© 2019 New York Daily News
Distributed by Tribune Content Agency, LLC.