July 31, 2019

100M affected in Capital One data breach

data securityA hacker stole and publicly exposed the personal information of more than 100 million credit applications made with Capital One Financial Corp. Capital One was notified of the leaked data via its Responsible Disclosure program July 17; news about the breach broke Monday when the FBI arrested the suspected individual.

According to the indictment of Paige Thompson, she accessed the data by exploiting a loophole in a Capital One application's firewall. Capital One said the stolen data – including names, addresses, phone numbers, email addresses, birthdates and self-reported income – primarily came from individual and small business credit applications made with the company between 2005 and early 2019.

However, no credit card numbers or login credentials were compromised, and less than 1 percent of Social Security numbers were exposed.

Capital One has an FAQ document on the incident available online.

NAFCU is a leader in calling for a national data security standard and was the first group after the massive 2013 Target data breach to call for a legislative solution to reform the nation's data security system. Among the association's principles for a data security standard are holding negligent companies accountable and ensuring consumers are made aware of breaches in a timely manner.

The association will continue to monitor this data breach.