Millions of Canadians’ data exposed after hacker targets Capital One

SEATTLE (NEWS 1130) — Hackers have gained access to the personal information of millions of Canadians.

Capital One says a hacker, believed to be located in Seattle, accessed the personal information of six million individuals in Canada and 100 million in the United States on March 22 and 23 of this year. According to the bank, they found a vulnerability in their system July 19 and immediately reached out to law enforcement. The FBI has arrested the person they believe is responsible and she appeared in a Seattle court on Monday.

Social Insurance Numbers belonging to about one million Canadians were compromised.

The hacker also accessed names, addresses, zip codes and postal codes, phone numbers, email addresses, dates of birth, and self-reported income, all information collected by the bank during the application process between 2005 and early 2019. Information on credit scores, credit limits, balances, payment history, contact information, and some parts of transaction data for 23 days in 2016, 2017 and 2018 were also accessed.

Paige A. Thompson — who also goes by the handle “erratic” — was charged with a single count of computer fraud and abuse in U.S. District Court in Seattle. Thompson made an initial appearance and was ordered to remain in custody pending a detention hearing Thursday.

The FBI raided Thompson’s residence Monday and seized digital devices. An initial search turned up files that referenced Capital One and “other entities that may have been targets of attempted or actual network intrusions.”

According to the FBI complaint, someone emailed the bank two days before July 19 — the day Capital One reached out to law enforcement — notifying it that leaked data had appeared on the code-hosting site GitHub, which is owned by Microsoft.

And a month before that, the FBI said, a Twitter user who went by “erratic” sent another user direct messages warning about distributing the bank’s data, including names, birthdays and Social Security numbers. That user later reported the message to Capital One.

“I’ve basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting it,” one said. “I wanna distribute those buckets i think first.”

Capital One said it believes it is unlikely that the information was used for fraud, but it will continue to investigate.

RELATED: Did Facebook data help Trump? ‘Great Hack’ explores scandal

According to the company, no credit card account numbers or log-in credentials were accessed. Although 99 per cent of customers’ social insurance numbers were not compromised, 140,000 were still accessed. Information from 80,000 linked bank accounts belonging to customers using secured credit cards were also compromised.

The bank’s Chairman and CEO has apologized for the breach.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Richard D. Fairbank said in a press release. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Capital One says it will be contacting customers whose data was breached, and will be offering free credit monitoring and identity protection to everyone who was affected.

RELATED: ‘I’m sick about it’: Vancity says outage due to several system ‘half-failures’

In 2017, a data breach at Equifax, a major credit reporting company, exposed the Social Security numbers and other sensitive information of roughly half of the U.S. population.

Last week, Equifax agreed to pay at least $700 million to settle lawsuits over the breach in a settlement with federal authorities and states. The agreement includes up to $425 million in monetary relief to consumers.

Many major banks have sought to stem the risk of data breaches in recent years. JPMorgan Chase, Bank of America and Citibank began replacing customers’ debit cards several years ago with more secure chip-based cards. While the cards with chips are common these days, many merchants still rely on the older, less secure card-swiping equipment. Credit card companies have also beefed up fraud monitoring in the wake of high-profile data breaches that hit retailers such as Target and Home Depot.

The average cost of a data breach in the U.S. last year was just under $8 million, according to a study by IBM Security and Ponemon Institute.

Top Stories

Top Stories

Most Watched Today