Massive security breach at Capital One exposes data of 6 million Canadians
Published Tuesday, July 30, 2019 11:47AM EDT Last Updated Tuesday, July 30, 2019 1:33PM EDT
A massive data hack at credit card giant Capital One Financial has compromised the personal data of roughly six million Canadians and exposed one million social insurance numbers -- making it one of the largest security breaches in Canadian history.
The incident, which affected about 106 million North American credit card holders, was announced by Capital One Financial late Monday after the alleged hacker was arrested.
Paige A. Thompson, who uses the online handle "erratic", was charged with a single count of computer fraud and abuse in U.S. District Court in Seattle. Thompson made an initial appearance in court and was ordered to remain in custody pending a detention hearing Thursday.
Federal agents began tracking Thompson online after being notified by Capital One of a possible breach in July.
Canada's Office of the Privacy Commissioner said Capital One has been in contact about the incident and the two are "engaging."
"Given the number of people impacted and the nature of the incident, it certainly raises significant privacy concerns," said spokeswoman Anne-Marie Cenaiko in an emailed statement.
In Canada, where Capital One provides Mastercard credit cards for Costco Wholesale's Canadian retail network and the Hudson's Bay Company, Capital One said approximately one million social insurance numbers were compromised.
The incident also compromised the data of roughly 100 million U.S. clients, including about 140,000 Social Security numbers and 80,000 linked bank account numbers.
Most of the information obtained was on consumers and small businesses who applied for a credit card from 2005 through early 2019, the credit card issuer said in a statement, noting that routinely collected information includes names, addresses, postal codes, phone numbers, dates of birth and income.
The credit card issuer said affected individuals will be notified through a "variety of channels." All those impacted will also receive free credit monitoring and identity theft insurance, including Canadians, a Capital One spokeswoman confirmed.
HBC did not immediately respond to requests for comment. According to Hudson's Bay's website, it is not mandatory to provide a social insurance number on a credit card application, but doing so "helps us distinguish you from others with similar information and allows us to accelerate the credit review process."
A spokesman for Costco Canada directed all questions from The Canadian Press to Capital One. Its online credit card application also asks for a SIN on an optional basis.
The Capital One compromise is one of the biggest-ever breaches to impact Canadians -- six million is a large chunk of the country's population, said David Masson, director of enterprise security for cybersecurity firm Darktrace.
"These were economically active members of the Canadian population. So if you strip out young people, those who have retired, this ... figure becomes even more statistically significant."
Capital One said that it was unlikely that the information was used for fraud, but Masson said that once data has left secure channels, there is always the possibility of compromise.
"If that information has gone somewhere else, it is now possible for somebody else to use the exact same information to obtain a credit card, bank account, a loan, a mortgage, a financial instrument. That's why it's so serious. In the modern world, that kind of data is almost effectively currency that can be bought and sold, particularly on the dark web."
Capital One Financial Corp. was notified by a third party on July 19 that their data had appeared on the code-hosting site GitHub, which is owned by Microsoft. The McLean, Virginia, company says it immediately notified the FBI.
The FBI said a Twitter user who went by "erratic" sent a user direct messages warning about distributing the bank's data, including names, birthdates and Social Security numbers. That user reported the message to Capital One.
In addition to credit card application data such as phone numbers, email addresses, dates of birth and self-reported income, the hacker was also able to access credit scores, credit limits and balances, as well as fragments of transaction information from a total of 23 days in 2016, 2017 and 2018.
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Capital One CEO Richard Fairbank in a news release. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
The security breach is just the latest in a string of data hacks that have affected Canadians in recent years, including at U.S. companies such as Uber and Equifax.
In Canada, Desjardins Group revealed a data breach in June that saw the leak of names, addresses, birthdates, social insurance numbers and other private information from roughly 2.7 million people and 173,000 businesses.
In May, Freedom Mobile confirmed that it had been the victim of a security breach, but said the number of customers potentially exposed to the breach numbered 15,000. Researchers at vpnMentor, who discovered the breach and alerted the company, claimed that up to 1.5 million customers had been potentially affected.