- Capital One Financial announced yesterday that a data breach occurred in March.
- The breach affected about 100 million people in the US and about 6 million in Canada.
Capital One Financial’s massive data breach
Capital One Financial (COF) issued a press release on July 29 stating that on July 19, it discovered that an outside individual had gained unauthorized access to its customer details. The hack occurred on March 22–23. The hacker obtained the personal information of Capital One credit card customers and people who’d applied for credit card products.
Capital One fixed the vulnerability and arrested the hacker
Capital One said that it immediately fixed the vulnerability and promptly began working with the FBI. The FBI arrested the person responsible for the data breach. The alleged hacker, Paige A. Thompson, reportedly broke through the company firewall to access the customer details. She was a former employee of Amazon Web Services, the cloud hosting company Capital One was using to store the data. According to the US Department of Justice, Thompson posted the information about her theft on information sharing site GitHub. A GitHub user alerted Capital One to the possibility of the data theft on July 17.
Impact of the data breach
The statement read, “Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.”
In the company’s estimate, the breach affected about 100 million people in the US and about 6 million in Canada. The hacker accessed approximately 140,000 US customers’ social security numbers and 80,000 linked bank account numbers. She also accessed the names, addresses, zipcodes and postal codes, credit limits, credit scores, phone numbers, and other information of an undisclosed number of people.
Impact on Capital One stock
This data breach is one of the biggest ever. On the news, Capital One stock was down 4% in after-hours trading. Today, in premarket trading, the stock was down 4.5%.
Capital One said it would notify those affected by the breach and would make free credit-monitoring and identity protection available to everyone affected. It expects to incur $100 million–$150 million in costs related to the hack, an amount that includes customer notifications, credit monitoring, tech costs, and legal support.
Investor rights law firm Bernstein Liebhard LLP announced yesterday that it was investigating potential securities fraud claims on behalf of COF’s shareholders.
Equifax data breach
Last week, Equifax (EFX) agreed to pay up to $700 million to settle claims associated with a massive data breach in 2017. That breach compromised the social security numbers and other sensitive information of almost half the US population. The company hid the details of the breach from the public for several months before making them public.
Too little, too late?
Many observers were dissatisfied with the final settlement given the magnitude of the breach. According to Marcus Christian, a cybersecurity-focused litigation partner at Mayer Brown, “When you have 150 million people who are affected, this settlement is only really giving $2 or $3 per person.” He added, “The totals to Equifax will be higher, given how much they’ve spent already and potential fines from other regulators or Congress, but is this enough to strike fear? I’d say no.”