Capital One hack: what happened and are you entitled to compensation?
Hacker arrested after data of 106 million Americans and Canadians are stolen
A hacker has been arrested in connection with the theft of the personal data of around 106 million customers of the US company Capital One.
Paige Thompson, the alleged hacker, was arrested in Seattle on Monday on charges of computer fraud after reportedly “boasting” about the data breach online, the BBC reports.
Thompson is believed to have stolen “names, addresses and phone numbers” of customers who “applied” for products at the financial services firm, the broadcaster says.
Subscribe to The Week
Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.
Sign up for The Week's Free Newsletters
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
While Capital One says that no credit card information or account login details were exposed in the hack, it admits that 140,000 Social Security numbers – a nine-digit code issued to US citizens – and 80,000 “linked bank account numbers” were compromised.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard Fairbank, Capital One’s chief executive. “I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right.”
What happened?
On Monday, Capital One announced that it had been the victim of a major data breach that exposed the personal information of 100 million American and six million Canadian customers and credit card applicants, the Financial Times reports.
The breach took place in March but was discovered only this month, the newspaper says. The hacker tapped into the personal data of “consumers and small businesses” that applied for credit cards between 2005 and 2019.
Capital One says the stolen data includes:
- Customer status data - such as credit scores, credit limits, balances, payment history, contact information
- Fragments of transaction data from 23 days between 2016, 2017 and 2018
- Approximately 140,000 Social Security numbers of credit card customers
- Around 80,000 “linked” bank account numbers of “secured credit card customers”
- About one million Social Insurance Numbers, a nine-digital code given to Canadian residents
Although Bloomberg describes the attack as “possibly one of the largest-ever impacting a US bank”, the site says Capital one is unlikely to face severe consequences from authorities as the stolen data “wasn’t distributed to others or used for fraud”.
Still, Capital One predicts that the attack will “generate incremental costs of approximately $100m to $150m (£82m-£123m)” over the course of the year.
Who is Paige Thompson?
Paige Thompson, believed to be the mastermind behind the attack, worked for Amazon as a systems engineer between May 2015 and September 2016, according to the Daily Mail.
She was arrested on Monday in Seattle after leaving “a trail of breadcrumbs” for US authorities, the news site says. For instance, Thompson posted multiple times online that she had obtained the data, prompting other hackers to warn her that she would be “facing jail”.
Thompson allegedly stole the data from Amazon’s Web Services, before posting the information in folders on the file-sharing website GitHub, the news site says.
Then, on 17 July, an anonymous tipster alerted Capital One to the location of the data, the Mail adds. The GitHub link embedded in the email contained Thompson’s full name – “paigeadelethompson” – in the URL.
Are customers entitled to compensation?
Compensation looks unlikely at the moment, given that Capital One has yet to discover any fraudulent activity linked to the stolen personal details.
However, the bank says it will be putting money aside for “customer notifications” and “legal support”, suggesting that it anticipates possible lawsuits from affected customers.
Sign up for Today's Best Articles in your inbox
A free daily email with the biggest news stories of the day – and the best features from TheWeek.com
-
Why Bhutan hopes tourists will put a smile back on its face
Under The Radar The 'kingdom of happiness' is facing economic problems and unprecedented emigration
By Chas Newkey-Burden, The Week UK Published
-
7 beautiful towns to visit in Switzerland during the holidays
The Week Recommends Find bliss in these charming Swiss locales that blend the traditional with the modern
By Catherine Garcia, The Week US Published
-
The Week contest: Werewolf bill
Puzzles and Quizzes
By The Week US Published
-
Clop gang: Russian hackers issue ‘dark web ultimatum’ to BBC, Boots and BA
Under the Radar Affected companies urged to install security patches and not pay cyber criminals behind hack
By Rebekah Evans Published
-
What is ‘sextortion’ and why are cases on the rise?
In Depth Police issue warning over criminal extortion using threat of sharing sexual images
By The Week Staff Published
-
Is Kamala Harris right to be wary of Bluetooth?
In Depth Vice president insists on using wired headphones for security reasons, report claims
By Kate Samuelson Published
-
Ransomware attacks: the new top threat to national security?
feature Joe Biden orders probe into latest hack of hundreds of US businesses
By The Week Staff Last updated
-
Are Facebook privacy settings handing a ‘free pass’ to terrorists?
feature MI5 chief attacks plans to provide end-to-end encryption on social media platform
By Sorcha Bradley Last updated
-
Why the US Army’s use of TikTok is causing concern
In Depth Congress alerts military officials over possibility of Chinese government using social media to harvest personal data of recruits
By Gabriel Power Last updated
-
Apple: Google ‘stoked fear’ over iPhone hacking report
In Depth Tech giant claims its rival withheld key information about recent security flaws
By The Week Staff Published
-
More than 400m Facebook users’ data leaked: what happened and are you affected?
In Depth Phone numbers and IDs were stored in online server that was not password protected
By The Week Staff Last updated