Cyber Incident Victim: Capital One Financial Corporation
Date:
Jul 2019
Location:
United States of America
Summary
A cybersecurity breach at Capital One compromised personal data of approximately 100 million US and 6 million Canadian individuals, primarily involving information from credit card applications such as names, addresses, contact details, birth dates, and self-reported income. The incident also exposed portions of customer credit data—including scores, limits, balances, and payment histories—along with fragments of transaction records spanning 23 days. Approximately 140,000 US Social Security numbers, 80,000 linked bank account numbers, and 1 million Canadian social insurance numbers were accessed. The company identified and remediated the exploited configuration vulnerability promptly, leading to the perpetrator's arrest. While the institution assessed the stolen data as unlikely to have been used for fraud or further disseminated, investigations remained ongoing.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Capital One data breach, discovered on July 19, 2019, compromised the personal information of approximately 100 million individuals in the United States and 6 million in Canada. The unauthorized access targeted data collected from credit card applications submitted between 2005 and 2019, exposing names, addresses, zip codes, phone numbers, email addresses, dates of birth, and self-reported income. Additionally, the attacker obtained portions of credit card customer data, including credit scores, credit limits, account balances, payment histories, and contact information. Fragmented transaction records spanning 23 days across 2016, 2017, and 2018 were also accessed. The breach specifically compromised 1 million Canadian Social Insurance Numbers, 140,000 U.S. Social Security Numbers, and 80,000 linked bank account numbers, despite initial statements from Capital One denying the exposure of Social Security Numbers or bank account details.
Capital One identified and remediated the configuration vulnerability exploited by the attacker immediately upon discovery. Law enforcement arrested the individual responsible, who remained in custody at the time of the disclosure. The company stated its investigation found no evidence suggesting the compromised data had been used for fraudulent purposes or widely disseminated. Capital One emphasized ongoing efforts to assess the breach’s full impact while maintaining that the vulnerability had been neutralized. The incident highlighted risks associated with stored consumer credit application data accumulated over a 14-year period, though the institution did not disclose technical specifics about the exploited misconfiguration or the attacker’s identity in its initial public statement.