Capital One Financial has reported a major data breach where a hacker procured personal data of around 106 million individuals.
The hacker has been arrested and is under police custody.
Capital One data breach
In a statement, the bank said that it identified the breach on 19 July. The hacker accessed information related to Capital One credit card customers and those who applied for credit card products.
Based on the bank’s analysis, around 100 million US individuals and six million in Canada were affected.
However, credit card account numbers or log-in credentials were not compromised, the statement added.
Capital One Financial also claimed that more than 99% of Social Security numbers were not compromised.
The bank has already fixed the configuration vulnerability that the perpetrator exploited. Initial probe suggest that the information hacked was not disseminated or used for fraud, however, investigations will continue.
Capital One Financial chairman and CEO Richard Fairbank said: “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened.
“I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right.”
The incident is expected to cost the company around $100m to $150m in 2019. It will encompass costs to inform affected customers, credit monitoring, technology costs and legal support.
A Virginia-based bank, Capital One Financial is a financial holding company catering to consumers, small businesses and commercial clients.
It has two subsidiaries- Capital One and Capital One Bank, and has $373.6bn in total assets.
Vigilance or recovery?
Cyber Intelligence Director of MDR Cyber, Mark Tibbs, said: “The compromise of Capital One involved an enormous amount of data being accessed. According to the institution, the data was exposed due to a configuration setting in cloud storage. We find these kinds of mistakes are all too common for companies operating cloud infrastructure given the complexity of modern businesses and the number of settings that need attention.
“The incident showed that Capital One responded extremely quickly to the incident. Due to the nature of the attack and some clumsy operational security by the alleged attacker, an arrest has been made. This is unusual in a case like this and represents a great result for law enforcement.
“Companies should, however, remain vigilant to the ever-present threat of external attackers and implement proactive measures to ensure their data, particularly sensitive customer data, is held with appropriate security measures in place to prevent their name being the next headline.”