The data breach was found when an ethical hacker disclosed the vulnerability to Capital One responsibly on 17 July 2019. After conducting an internal investigation into the past use of this vulnerability, Capital One found that unauthorized users accessed their systems and customer information between 22 and 23 March 2019. “On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers”, Capital One stated in a data security incident notice. “This occurred on March 22 and 23, 2019.” Their research found that the unauthorized user had access to data in the United States for 100 million people and in Canada for 6 million people.  They provided information to the FBI that arrested the suspected hacker after fixing the vulnerability used in the violation. A wide range of other details have been accessed while no credit card numbers or login credentials have been accessed. Due to the amount of personal information exposed and how identity theft can be used, it is highly recommended that the users monitor their credit reports for suspicious activity and report immediately to Police, Capital One and Credit Agencies anything that has been detected.

Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

No bank account numbers or Social Security numbers were compromised, other than:

About 140,000 Social Security numbers of our credit card customers About 80,000 linked bank account numbers of our secured credit card customers

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.” Capital One notifies every user affected by the email and provides a free credit surveillance service. It is also strongly suggested you freeze your credit report if it is impacted that bad actors find it more difficult to take out credit in your name fraudulently.

How Capital One got hacked?

Thompson’s criminal complaint paints an impression of a less careful suspect. The complaint says that Thompson has published information on GitHub using its full first, middle, and last name. She also boasted of having information from Capital One on social media. “I wanna get it off my server that’s why Im archiving all of it lol,” Thompson allegedly posted on Slack. One person was alarmed by what Thompson found, writing that the information was “sketchy,” adding, “don’t go to jail plz.” Thompson did little to cover her identity up. She allegedly used Slack’s “erratic” screen name, which she used on a Twitter and Meetup chatroom page. Thompson’s FBI special agent who surveyed believed that she wanted to distribute the Social Security numbers with full names and birth dates. The complaint states that Thompson “recognizes that she has acted illegally.”