A massive data hack at credit card giant Capital One Financial Corp. has compromised the personal data of roughly six million Canadians and exposed one million social insurance numbers – making it one of the largest security breaches in Canadian history.
The incident, which affected about 106 million North American credit-card holders, was announced by Capital One Financial late Monday after the alleged hacker, Paige A. Thompson, was charged with computer fraud and abuse in Seattle.
It is among the largest security breaches of a major U.S. financial institution on record. The bank’s stock tumbled 7 per cent Tuesday, the largest single-day decline in four years.
Ms. Thompson made an initial appearance in court and was ordered to remain in custody pending a detention hearing Thursday.
Federal agents began tracking Ms. Thompson online after being notified by Capital One of a possible breach in July.
On June 18, Ms. Thompson sent a message on Twitter to another user saying, “I’ve basically strapped myself with a bomb vest, [expletive] dropping capitol ones dox and admitting it.”
The FBI raided Ms. Thompson’s residence Monday and seized digital devices. An initial search turned up files that referenced Capital One and “other entities that may have been targets of attempted or actual network intrusions.”
Ms. Thompson was a systems engineer at Amazon Web Services between 2015 and 2016, about three years before the breach took place.
A résumé Ms. Thompson posted on a Slack group she created says she worked on its front-end the interface with users and security updates.
While that service is used by Capital One, there is no evidence that Amazon’s cloud system was involved in the breach.
“AWS was not compromised in any way and functioned as designed,” a company spokesperson said Tuesday. “The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud.”
Capital One was notified by a third party on July 19 that their data had appeared on the code-hosting site GitHub, which is owned by Microsoft. The McLean, Va., company says it immediately notified the FBI.
Canada’s Office of the Privacy Commissioner said Capital One has been in contact about the incident and the two are “engaging” but did not say whether it would launch an investigation.
“Given the number of people impacted and the nature of the incident, it certainly raises significant privacy concerns,” spokeswoman Anne-Marie Cenaiko said in an e-mailed statement.
In Canada, where Capital One provides Mastercard credit cards for Costco Wholesale’s Canadian retail network and the Hudson’s Bay Co., Capital One said approximately one million social insurance numbers were compromised. Capital One credit-card applications include the option for consumers to provide their social insurance number, but only some applicants choose to provide it.
The incident also exposed the data of roughly 100 million U.S. clients, including about 140,000 social security numbers and 80,000 linked bank account numbers.
Most of the information obtained was on consumers and small businesses who applied for a credit card from 2005 through early 2019 and included names, addresses, postal codes, phone numbers, dates of birth and income.
Capital One said affected individuals will be notified through a “variety of channels.” Impacted Canadians will also receive free credit monitoring and identity theft insurance.
A lawsuit seeking class-action status was filed in the federal court in Washington by Kevin Zosiak, a Stamford, Conn., resident who said he is a Capital One credit-card customer whose personal information was compromised. It is likely to herald many similar lawsuits over the breach.
HBC did not respond to a request for comment. A spokesman for Costco Canada directed all questions from The Canadian Press to Capital One.
The Capital One compromise is one of the biggest-ever breaches to impact Canadians – six million is a large chunk of the country’s population, said David Masson, director of enterprise security for cybersecurity firm Darktrace.
“These were economically active members of the Canadian population. So if you strip out young people, those who have retired, this ... figure becomes even more statistically significant.”
Finance Minister Bill Morneau said he has asked the Office of the Superintendent of Financial Institutions, to investigate the breach and ensure that “appropriate steps” are taken to protect Canadians.
“We are deeply concerned by the unacceptable breach at Capital One... Affected Canadians should contact Capital One immediately. We are working on this vigilantly,” he said on Twitter on Tuesday.
He added that Public Safety Minister Ralph Goodale is also in touch with his counterparts in the U.S. about the matter.
The financial services regulator is “monitoring the situation closely,” said OSFI spokesman Colin Palmer.
In addition to credit-card application data such as phone numbers, e-mail addresses, dates of birth and self-reported income, the hacker was also able to access credit scores, credit limits and balances, as well as fragments of transaction information from a total of 23 days in 2016, 2017 and 2018.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Capital One CEO Richard Fairbank said in a news release. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Capital One said it could not provide information on several questions posed by The Canadian Press, including how many and which branded credit cards were affected and how many of those had their SIN compromised.
The company said it was in the process of notifying affected customers, but would not elaborate on how or when it would contact consumers.
Under new federal privacy rules that came into force in November, organizations are obligated to report a breach involving personal information under its control if there is a “real risk of significant harm” to an individual. Organizations must also notify the persons impacted and detail, among other things, the circumstances, the personal information compromised and steps the firm has taken to reduce harm.
With a report from Reuters