Skip to main content

Digital Trends may earn a commission when you buy through links on our site. Why trust us?

New Capital One data breach affects 100 million people. Here’s the very latest

A massive data breach of Capital One exposed the personal information of approximately 100 million people after a former Amazon employee stole credit card application data, including about 80,000 bank account numbers and 140,000 Social Security numbers.

Federal authorities arrested a Seattle-area woman, Paige A. Thompson, on Monday over the hack. They said Thompson, who had previously worked for Amazon Web Services, stole the data from the bank’s credit card applications in March, according to Bloomberg. Amazon handles Capital One’s cloud database.

Capital One acknowledged the data breach on Monday evening, saying it affected “approximately 100 million individuals in the United States and approximately 6 million in Canada.”

“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” the company wrote. “However, we will continue to investigate.”

How did the data breach happen?

According to court documents, Thompson worked for a cloud computing company that was contracted by Capital One. That company was identified as Amazon Web Services, which handles a massive amount of internet traffic, by the New York Times.

An Amazon spokesperson told Digital Trends that Thompson had not worked for the company for about three years. The vulnerability that Thompson allegedly exploited to gain access to the data came from a misconfiguration of a web application on Capital One’s side — Amazon’s systems weren’t compromised and they functioned properly, the spokesperson said. It’s still unclear whether Thompson used knowledge gained from her time at Amazon to access the system.

Capital One described the alleged hacker as a “highly sophisticated individual who was able to exploit a specific configuration vulnerability in our infrastructure.”

The company added that it addressed the vulnerability after discovering it, and that much — but not all — of the data was encrypted. That said, because Thompson had access to the system, she was able to decrypt some of the data, Capital One said.

“Although some of the information in those applications (such as Social Security numbers) has been tokenized or encrypted, other information including applicants’ names, addresses, dates of birth and information regarding their credit history has not been tokenized,” the FBI said in a criminal complaint reviewed by the Washington Post.

Thompson has been accused of “exfiltrating and stealing information, including credit card applications and other documents, from Capital One,” according to court papers. Other compromised data included credit scores, credit limits, balance, and payment information. About a million Canadian Social Insurance numbers were also compromised.

New York Attorney General Letitia James is also getting involved — her office opened up an investigation into the breach on Tuesday.

Who is alleged Capital One hacker Paige Thompson?

Thompson went by the nickname “erratic” online and was part of a Meetup group called Seattle Warez Kiddies, where she listed herself as “CTO of Netcrave Communications.” She wrote about the breach in Meetup posts and on  Twitter and Slack, the FBI said.

“I’ve basically strapped myself with a bomb vest, [expletive] dropping capital ones dox and admitting it,” she wrote, according to the FBI. The agency first discovered her activity on Meetup and used it to track her down after being tipped off that some of the bank’s data had been compromised.

Speaking on Slack, she posted a list of the files she had allegedly taken and said “I wanna get it off my server that’s why Im archiving all of it lol … its all encrypted,” according to court documents.

Capital One learned of the breach on July 17 from an online posting and quickly alerted the FBI. We’ve reached out to the bank for more details on who might have been impacted by the breach and will update this story if they respond.

Digital Trends was unable to contact an attorney for Thompson. She will remain in jail for the time being and has a bail hearing scheduled for Thursday.

Was my data affected by the Capital One breach?

At this point, it’s unclear — but it’s likely, just based on the number of affected customers. Remember, the data stolen was from credit card applications, so if you’ve ever applied for a Capital One credit card, you might be at risk.

A much smaller number of people had their key data — bank number and social security numbers — exposed. If your data was compromised, you should hear from Capital One soon.

“We will notify affected individuals through a variety of channels,” Capital One wrote, “We will make free credit monitoring and identity protection available to everyone affected.”

The company expects the breach to cost it between $100 and $150 million this year, mostly for the cost of notifying customers and monitoring their credit.

The massive scale of the leaked credit card applications could make this one of the biggest financial data breaches ever. The largest was the 2017 Equifax breach, in which hackers stole personal data from about 147 million people. That hack ended in a $700 million settlement with the Federal Trade Commission (FTC).

Editors' Recommendations

Mathew Katz
Former Digital Trends Contributor
Mathew is a news editor at Digital Trends, specializing in covering all kinds of tech news — from video games to policy. He…
Lawsuit over Capital One data breach could eventually get you sweet revenge
how to protect yourself from capital one data breach credit card

If you were affected by the massive Capital One data breach, you might be entitled to cash down the line thanks to a new class-action lawsuit being filed against the company.
The Miami-based law firm Colson Hicks Eidson filed a class-action lawsuit Tuesday against Capital One Financial Corporation “for negligence in failing to safeguard consumers’ personal information” in the recent data breach that impacted 100 million consumers. It's not clear what will come with the lawsuit down the line, but a massive settlement could be seen as a significant deterrent against companies that don't do enough to safeguard personal data. And it could net you a couple of bucks -- if you were affected. 
"Capital One was reckless and completely disregarded the rights of consumers by failing to implement and maintain adequate data security measures and therefore exposed information to criminals for misuse,” said Lewis S. Mike Eidson, co-counsel for the plaintiffs. “Through this lawsuit, we hope to prevent a re-occurrence of a similar data breach, which has caused tremendous grief and compromised the financial standing and credit scores for so many.”   
If you missed the story of the breach, the short version is that thanks to a faulty firewall, a hacker was able to gain access to the bank’s cloud repository in March of 2019. That hacker collected the personal information from roughly 100 million Capital One customers' credit card applications, authorities said. The hacker then allegedly posted information about the breach their GitHub account in the middle of April, making it potentially available to others who could use it in nefarious ways.
The alleged hacker, Paige A. Thompson was arrested in July for the hack. She previously worked for Amazon Web Services (AWS) which handles Capital One’s cloud database.
At the time of the announcement of the hack, Capital One said that it is unlikely that the information was used for fraud or disseminated by this individual,” but it had plans to continue to investigate.
Despite that timeline, Capital One did not alert its customers of the breach until July 29, 2019. The information in question was also still available online until at least July 17, 2019 when the bank was notified by an anonymous tipster.
If you're worried that you were affected by the hack -- and there's a good chance you were, considering how big it was -- there are a number of steps you can take to protect yourself.
Capital One has said that it will be notifying those impacted by the hack “through a variety of channels.” We reached out to the company for comment on the class-action lawsuit, and will update this story if we heard back. 
The lawsuit was filed in Federal Court in the Eastern District of Virginia on behalf of plaintiffs Maria de Lourdes Tester and Tracy Elizabeth Masi.

Read more
Authorities have opened a new investigation into the Capital One data breach
Capital One Data Breach

New York Attorney General Letitia James has already opened up an investigation into the Capital One data breach, she announced Tuesday -- less than 24 hours after the company revealed the massive hack.

The breach exposed the personal information of approximately 100 million people in the U.S. and six million people in Canada. The information that was stolen included 80,000 bank account numbers and 140,000 Social Security numbers. 

Read more
Here’s how to protect yourself from the Capital One data breach
how to protect yourself from capital one data breach credit card

By now, you may have heard that Capital One has recently announced a massive data breach that has reportedly affected approximately 100 million people in the United States and six million in Canada. While this news can understandably induce panic, it’s important to remember that there are ways to protect yourself in the event that you and your accounts are one of the ones affected in massive data breaches like this one or the recently settled Equifax breach.

Capital One has issued its own set of guidelines and FAQ answers regarding the breach and how to handle it. That's a good place to start. In addition, we’ve gathered a few other tips to keep in mind to help you safeguard your accounts.
Unsure if you were affected? Here’s how to find out
According to Capital One’s guidelines on the matter, the bank holding company will notify those affected by the breach “through a variety of channels.” In addition, Capital One has advised its customers to “enroll in account alerts” to better help them review their accounts and spot suspicious activity. Capital One customers have also been advised to call the number on the back of their cards to report any unusual activity on their credit card accounts.

Read more