Another day, another wide-spread data breach. This time, it is global lending institution Capital One – who has just disclosed that a data breach has resulted in the exposure of more than 106 million customers. Of this figure, this includes 100 million Americans, alongside 6 million Canadians.
As per the public disclosure, the statement indicates that the internal flaw is believed to have been in existence since 2005, and thus – a mere 14 years prior to the announcement. The credit card issuer notes that the vulnerability was based on the information provided by customers at the time of the financing application.
This will have includes a full-set of personal information, such as the customer’s full name, home address, telephone numbers, email address, and date of birth. On the financial side, and as is standard practice when applying for credit cards and other financing products like loans and mortgages, the data breach would have included sensitive information tied to the applicant’s income and debt.
Such details would have covered the applicant’s reported income, home ownership status, debt-to-income ratio, and known assets.
Highly Sensitive Data Pertaining to US and Canadian Customers
On top of potentially leaking data pertaining to credit card applications, the lender also revealed that it believes the vulnerability could have led to existing customer data. As noted by Capital One themselves, the statement read.
“Beyond the credit card application data, the individual also obtained portions of credit card customer data, including: Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information; Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.”
It is also believed that in total, more than 80,000 US bank account numbers were exposed, alongside a staggering 140,000 US social security numbers. Those based in Canada were also affected. In fact, it was noted that over 1 million Canadian social insurance numbers could have been accessed by unauthorised third parties.
An Arrested Individual Remains in Custody
As is often the case in large scale data breaches, the leaked information was in fact accessed by an unsavoury character looking to make illicit gains. However, the lender revealed than an individual has been arrested, and is currently being held in custody.
This once again highlights the weaknesses employed by large companies when attempting to safeguard customer data. The most alarming aspect to the admission of guilt is the fact that the data breach runs all the way back to 2005. With that being said, it is nearly impossible to assess which customers have been affected.
How Will US Regulators Respond to the Data Breach?
Much like in the case of Equifax – who were responsible for the data breach of more than 145 million people, it is all-but certain that US regulators will seek to impose a monetary fine on Capital One. In the case of Equifax themselves, the credit rating agency was ordered to pay a whopping $671 million in class-action lawsuits.