On Monday, financial services company Capital One announced that its digital infrastructure suffered a massive data breach. A hacker compromised the firm’s systems and acquired the personal information of more than 100 million Americans and 6 million Canadians. The corporation stated that it learned of the cyber-attack on July 19. That day, a GitHub user noticed another subscriber posting details about the incident.
According to USA Today, the Capital One hack represents the seventh-largest data breach in U.S. history.
Data Breach Details
In its official breach disclosure, Capital One explained that the rogue operator accessed 23 days of the firm’s transaction data. As a result, the hacker gained access to credit card application data ranging from 2015 to 2019. The compromised information includes users’ names, addresses, phone numbers, dates of birth, email addresses, and self-reported income.
The bank also noted that hackers gained access to 140,000 Social Security numbers as well as 800,000 users’ bank account data (albeit, partial numbers).
The Federal Bureau of Investigation (FBI) has already arrested a suspect in connection with the data breach. The agency arrested Seattle software developer Paige A. Thompson for the theft, which took place between March 13 and July 17. According to a Justice Department press release, Thompson allegedly took advantage of a misconfigured web application firewall to steal Capital One’s user data.
The bank confirmed that it patched the vulnerability that allowed unauthorized users access to its database.
The FBI seized an electronic storage device in Thompson’s possession that contained a copy of the stolen information. If convicted of computer fraud and abuse, Thompson faces a $250,000 fine and five years in prison. On August 1, the accused hacker will have a hearing in the U.S. District Court in Seattle.
What Happens Next
Capital One Chairman and CEO, Richard D. Fairbanks, publicly apologized to the company’s users for the data breach. The firm is now offering credit monitoring and identity protection services to affected users. The corporation also stated that it would spend $100-150 million mitigating the effects of the intrusion this year.
Nevertheless, the bank will likely spend considerably more than a few hundred million dollars in the aftermath of its historic breach. Last week, Equifax came to terms with the Federal Trade Commission (FTC) regarding its 2017 data theft. The firm agreed to pay $700 million for failing to protect the personal information of 147 million Americans.
Given the scale of the Capital One data leak, the FTC will investigate the circumstances surrounding the malicious attack. Furthermore, the Justice Department’s indictment notes that an unauthorized user accessed the corporation’s systems because of a configuration error. As such, the firm could be found liable for not doing enough to protect its users. Consequently, it won’t be surprising if the financial services company makes a near billion-dollar settlement payout in the next two years.
As massive corporate data breaches are becoming unnervingly common, the government might want to take preemptive action. While massive regulatory fines are wholly appropriate, they don’t offer much help to consumers who’ve had their information exposed. However, if Washington lawmakers established national cybersecurity laws, large companies might take their data protection responsibilities more seriously.