Capital One hack: what happened and are you entitled to compensation?

Hacker arrested after data of 106 million Americans and Canadians are stolen

Man with laptop
(Image credit: Getty images)

A hacker has been arrested in connection with the theft of the personal data of around 106 million customers of the US company Capital One.

Thompson is believed to have stolen “names, addresses and phone numbers” of customers who “applied” for products at the financial services firm, the broadcaster says.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE
https://cdn.mos.cms.futurecdn.net/flexiimages/jacafc5zvs1692883516.jpg

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Sign up

While Capital One says that no credit card information or account login details were exposed in the hack, it admits that 140,000 Social Security numbers – a nine-digit code issued to US citizens – and 80,000 “linked bank account numbers” were compromised.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard Fairbank, Capital One’s chief executive. “I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right.”

What happened?

On Monday, Capital One announced that it had been the victim of a major data breach that exposed the personal information of 100 million American and six million Canadian customers and credit card applicants, the Financial Times reports.

The breach took place in March but was discovered only this month, the newspaper says. The hacker tapped into the personal data of “consumers and small businesses” that applied for credit cards between 2005 and 2019.

Capital One says the stolen data includes:

  • Customer status data - such as credit scores, credit limits, balances, payment history, contact information
  • Fragments of transaction data from 23 days between 2016, 2017 and 2018
  • Approximately 140,000 Social Security numbers of credit card customers
  • Around 80,000 “linked” bank account numbers of “secured credit card customers”
  • About one million Social Insurance Numbers, a nine-digital code given to Canadian residents

Although Bloomberg describes the attack as “possibly one of the largest-ever impacting a US bank”, the site says Capital one is unlikely to face severe consequences from authorities as the stolen data “wasn’t distributed to others or used for fraud”.

Still, Capital One predicts that the attack will “generate incremental costs of approximately $100m to $150m (£82m-£123m)” over the course of the year.

Who is Paige Thompson?

Paige Thompson, believed to be the mastermind behind the attack, worked for Amazon as a systems engineer between May 2015 and September 2016, according to the Daily Mail.

She was arrested on Monday in Seattle after leaving “a trail of breadcrumbs” for US authorities, the news site says. For instance, Thompson posted multiple times online that she had obtained the data, prompting other hackers to warn her that she would be “facing jail”.

Thompson allegedly stole the data from Amazon’s Web Services, before posting the information in folders on the file-sharing website GitHub, the news site says.

Then, on 17 July, an anonymous tipster alerted Capital One to the location of the data, the Mail adds. The GitHub link embedded in the email contained Thompson’s full name – “paigeadelethompson” – in the URL.

Are customers entitled to compensation?

Compensation looks unlikely at the moment, given that Capital One has yet to discover any fraudulent activity linked to the stolen personal details.

However, the bank says it will be putting money aside for “customer notifications” and “legal support”, suggesting that it anticipates possible lawsuits from affected customers.