Skip to main content

Report on Business About one million Canadian social insurance numbers compromised in Capital One data breach

A man walks across the street from a Capital One location in San Francisco on July 16, 2019.

Jeff Chiu/The Associated Press

A massive data hack at credit card giant Capital One Financial Corp. has compromised the personal data of roughly six million Canadians and exposed one million social insurance numbers – making it one of the largest security breaches in Canadian history.

The incident, which affected about 106 million North American credit-card holders, was announced by Capital One Financial late Monday after the alleged hacker, Paige A. Thompson, was charged with computer fraud and abuse in Seattle.

It is among the largest security breaches of a major U.S. financial institution on record. The bank’s stock tumbled 7 per cent Tuesday, the largest single-day decline in four years.

Story continues below advertisement

Ms. Thompson made an initial appearance in court and was ordered to remain in custody pending a detention hearing Thursday.

Federal agents began tracking Ms. Thompson online after being notified by Capital One of a possible breach in July.

How Canadians can order a free credit report

On June 18, Ms. Thompson sent a message on Twitter to another user saying, “I’ve basically strapped myself with a bomb vest, [expletive] dropping capitol ones dox and admitting it.”

The FBI raided Ms. Thompson’s residence Monday and seized digital devices. An initial search turned up files that referenced Capital One and “other entities that may have been targets of attempted or actual network intrusions.”

Ms. Thompson was a systems engineer at Amazon Web Services between 2015 and 2016, about three years before the breach took place.

A résumé Ms. Thompson posted on a Slack group she created says she worked on its front-end the interface with users and security updates.

While that service is used by Capital One, there is no evidence that Amazon’s cloud system was involved in the breach.

Story continues below advertisement

“AWS was not compromised in any way and functioned as designed,” a company spokesperson said Tuesday. “The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud.”

Capital One was notified by a third party on July 19 that their data had appeared on the code-hosting site GitHub, which is owned by Microsoft. The McLean, Va., company says it immediately notified the FBI.

Canada’s Office of the Privacy Commissioner said Capital One has been in contact about the incident and the two are “engaging” but did not say whether it would launch an investigation.

“Given the number of people impacted and the nature of the incident, it certainly raises significant privacy concerns,” spokeswoman Anne-Marie Cenaiko said in an e-mailed statement.

Capital One hack: What to do if you think your data’s been stolen

Capital One shares fall as two states launch probes of major data breach

In Canada, where Capital One provides Mastercard credit cards for Costco Wholesale’s Canadian retail network and the Hudson’s Bay Co., Capital One said approximately one million social insurance numbers were compromised. Capital One credit-card applications include the option for consumers to provide their social insurance number, but only some applicants choose to provide it.

The incident also exposed the data of roughly 100 million U.S. clients, including about 140,000 social security numbers and 80,000 linked bank account numbers.

Story continues below advertisement

Most of the information obtained was on consumers and small businesses who applied for a credit card from 2005 through early 2019 and included names, addresses, postal codes, phone numbers, dates of birth and income.

Capital One said affected individuals will be notified through a “variety of channels.” Impacted Canadians will also receive free credit monitoring and identity theft insurance.

A lawsuit seeking class-action status was filed in the federal court in Washington by Kevin Zosiak, a Stamford, Conn., resident who said he is a Capital One credit-card customer whose personal information was compromised. It is likely to herald many similar lawsuits over the breach.

HBC did not respond to a request for comment. A spokesman for Costco Canada directed all questions from The Canadian Press to Capital One.

The Capital One compromise is one of the biggest-ever breaches to impact Canadians – six million is a large chunk of the country’s population, said David Masson, director of enterprise security for cybersecurity firm Darktrace.

“These were economically active members of the Canadian population. So if you strip out young people, those who have retired, this ... figure becomes even more statistically significant.”

Story continues below advertisement

Finance Minister Bill Morneau said he has asked the Office of the Superintendent of Financial Institutions, to investigate the breach and ensure that “appropriate steps” are taken to protect Canadians.

“We are deeply concerned by the unacceptable breach at Capital One... Affected Canadians should contact Capital One immediately. We are working on this vigilantly,” he said on Twitter on Tuesday.

He added that Public Safety Minister Ralph Goodale is also in touch with his counterparts in the U.S. about the matter.

The financial services regulator is “monitoring the situation closely,” said OSFI spokesman Colin Palmer.

In addition to credit-card application data such as phone numbers, e-mail addresses, dates of birth and self-reported income, the hacker was also able to access credit scores, credit limits and balances, as well as fragments of transaction information from a total of 23 days in 2016, 2017 and 2018.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Capital One CEO Richard Fairbank said in a news release. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Capital One said it could not provide information on several questions posed by The Canadian Press, including how many and which branded credit cards were affected and how many of those had their SIN compromised.

The company said it was in the process of notifying affected customers, but would not elaborate on how or when it would contact consumers.

Story continues below advertisement

Under new federal privacy rules that came into force in November, organizations are obligated to report a breach involving personal information under its control if there is a “real risk of significant harm” to an individual. Organizations must also notify the persons impacted and detail, among other things, the circumstances, the personal information compromised and steps the firm has taken to reduce harm.

With a report from Reuters

Report an error
Tickers mentioned in this story
Unchecking box will stop auto data updates
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

Read our community guidelines here

Discussion loading ...

Cannabis pro newsletter