Another week, another massive data breach.
In this case, Capital One was the target when an unknown individual gained access to the company's servers.
The breach was detected by an independent security researcher, who contacted Capital One on July 19th. Apparently, the hacker gained access via a server configuration vulnerability.
Upon being made aware of the issue, Capital One addressed it immediately, which cut the hacker off from the data. At this time, it is not believed that the hacker has sold the data he was able to collect, but the investigation is ongoing.
While this breach isn't the largest in American history, the scope and scale is still staggering. More than one million Americans and six million Canadians have been impacted by it. That includes more than a million Canadians that saw their social insurance numbers accessed.
"This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including: Customer status data, (e.g., credit scores, credit limits, balances, payment history, contact information, and fragments of transaction data) from a total of 23 days during 2016, 2017, and 2018."
In addition to more than a million Canadian social insurance numbers being exposed, the hacker also gained access to some 140,000 American social security numbers and over 80,000 bank account numbers.
If there's a silver lining here, it is the fact that the US Attorney's Office for the Western Distract of Washington said it had arrested a "former Seattle technology company software engineer" in relation to the breach. If that proves to be true, then they apparently got him before he had time to post and sell the data on the Dark Web.
If you are a Capital One customer, or if you've applied for a Capital One card or loan between 2005 and 2019, know that your data may have been among the records compromised.