Capital One Data Breach Impacts 106M Customers, Woman Arrested

MCLEAN, VA — A massive breach of customer data affected around 106 million Capital One customers in the U.S. and Canada, the McLean-based company announced Monday. A woman has been arrested in connection with the data breach.

Based on the company's analysis, the individual took data from 100 million people in the U.S. and 6 million in Canada. The company said that 140,000 social security numbers and 80,000 bank account numbers linked to credit accounts were exposed. In Canada, 1 million Social Insurance Numbers were exposed.

The most common data taken was information when customers and small businesses applied for credit cards from 2005 to early 2019. This information included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income. The breach also involved credit card customer data such as credit scores, credit limits, balances, payment history, contact information and portions of 23-day transaction data in 2016, 2017 and 2018.

Capital One is notifying impacted customers. The company will provide free credit monitoring and identity protection.

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Richard D. Fairbank, Capital One chairman and CEO in a statement. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

The FBI arrested Paige A. Thompson, 33, a Seattle tech worker, on Monday. According to the FBI, she was able to get around a "misconfigured web application firewall" and access Capital One servers to download huge amounts of personal data. The data breach began sometime in March.

Thompson then posted about having the data on GitHub, a site where software developers share projects and code. A GitHub user alerted Capital One about the possible breach in mid-July, and the company turned to the FBI to pursue criminal charges.

The FBI searched Thompson's apartment in Seattle on Monday, and she made an initial appearance in court on one charge of computer fraud. She was ordered held in federal custody and will appear in court on Aug. 1.

The data breach will cost Capital One approximately $100 to $150 million in 2019.

Patch editor Neal McNamara contributed to this report.