Capital One is the latest company to suffer from a hack attack. A configuration vulnerability provided unauthorized access to a hacker who was able to obtain personal information of about 100 million U.S. individuals and 6 million Canadian individuals.
RELATED CONTENT: The costs of data breaches are rising
“We believe that a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure. When this was discovered, we immediately addressed the configuration vulnerability and verified there are no other instances in our environment. Among other things, we also augmented our routine automated scanning to look for this issue on a continuous basis,” Capital One wrote in a statement.
The news comes in the same month that high profile data breaches reached a settlement with the Federal Trade Commission. Equifax has agreed to pay $575 million in its data breach settlement and Facebook agreed to $5 billion.
According to Capital One, security researchers reported the vulnerability directly to the company through the Responsible Disclosure Program on July 17, 2019. A couple days later the company determined there had been unauthorized access that occurred on March 22 and 23, 2019.
Working with law enforcement, Capital One and the FBI were able to find the attacker. A former Amazon employee was arrested for the hack attack. “Capital One quickly alerted law enforcement to the data theft — allowing the FBI to trace the intrusion,” said U.S. Attorney Brian Moran. “I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.”
The hacker, Paige Thompson, could face up to five years in prison and a $250,000 fine.
Capital One expects the financial impact of the breach to cost around $100 to $150 million. According to the company, this will be driven by customer notifications, credit monitoring, technology costs, and legal support.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard Fairbank, chairman and CEO. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”