Capital One Lost 14-Years Worth Of Customer Information In A Data Breach
Capital One is the latest victim of a large-scale breach, which happened from 2005 and 2019. The 14-year worth data collection may be considered as the data breach with the most number of records stolen for the longest period in the history of computing. In view of the gravity of the situation, Capital One released its official press release providing more information about the incident. The company claimed that they expect that around 6 million Canadian and 100 million American had their information stolen from the company’s database due to a clever chain of cyberattacks against unpatched system vulnerabilities. Capital One admitted that the data breach was discovered through the responsible disclosure of ethical hackers last July 17, 2019. The company’s internal team confirmed the incident actually happened with results of the internal investigation completed last July 19, 2019. For a short period of just one day, from March 22 to 23, 2019, the attackers harvested 14-years worth of customer records.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right,” explained Richard D. Fairbank, Capital One’s Chief Executive Officer who concurrently also serving as the company’s Chairman. In the latest information provided in the press release, the company confirms that the suspect in the incident is already under the custody of the Federal Bureau of Investigation. The company continues to coordinate with the FBI team headed by FBI Seattle Field Officer Joel Martini in partnership with U.S. Attorney Brian T. Moran who is responsible for the arrest of the unnamed suspect. It is not yet confirmed if the information stolen is already being used for identity theft campaigns. Capital One cleared initial rumors that the data breach was due to unchecked cloud access, the company strongly denied such a claim. Cloud infrastructure that Capital One sign-up with is a separate system, and not affected by the incident.
“The Company carries insurance to cover certain costs associated with a cyber risk event. This insurance is subject to a $10 million deductible and standard exclusions and carries a total coverage limit of $400 million. The timing of recognition of costs may differ from the timing of recognition of any insurance reimbursement,” added Capital One.
The company assured the public that no credit card information were part of the breach, but the company also disclosed 140,000 of the records stolen included the victim’s Social Security numbers. Based-on initial probe, the loss records contain data from both consumers and business clients who transact with Capital One from the period of 2005 to 2019. Records of customers in that 14-year timeframe includes their:
- Residential address
- Postal code
- Email address
- Contact number
- Self-declared income
“We will notify affected individuals through a variety of channels. We will make free credit monitoring and identity protection available to everyone affected. Safeguarding our customers’ information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses,” emphasized Capital One.