Capital One notifies more clients of SSNs exposed in 2019 data breach

Image: Vinayak Sharma

US bank Capital One notified additional customers that their Social Security numbers were exposed in a data breach announced in July 2019.

The day the breach was disclosed, the Department of Justice arrested and indicted the suspected hacker, former Amazon Web Services (AWS) employee Paige Thompson, who posted about stealing data on GitHub after infiltrating Capital One's AWS cloud servers.

Thompson allegedly stole over 100 million people's personal information, including names, email addresses, dates of birth, transaction data, credit scores, payment history, balances, and for some, linked bank accounts and social security numbers.

The suspect also gained access to roughly 140,000 Social Security numbers and around 80,000 linked bank account numbers of credit card customers. Thompson also used the compromised servers to mine for cryptocurrency, according to the indictment.

Capital One was not the only organization hacked by the attacker, with media reporting that the list of breached companies might also include Vodafone, Ford, Unicredit, the Ohio Department of Transportation, and Michigan State University.

New exposed customer information discovered

While the breach notification letters might seem out of place almost two years after the incident, they were prompted by new findings while analyzing data stolen during the 2019 security breach.

However, after re-analyzing the stolen data using new tools, the bank discovered that the hacker did gain access and stole some of its customers' SSNs.

"Immediately after the 2019 data security incident, we conducted an analysis with the assistance of an external third-party expert to determine what information was accessed by the unauthorized individual," Capital One said. "At that time, we did not identify you as one of the individuals whose Social Security number was part of the accessed data."

"Recently, Capital One re-examined the files that were impacted by the 2019 data security incident using new and more advanced tools. As part of this analysis, we determined that your Social Security number was among the data to which the unauthorized individual gained access."

According to Capital One, the bank notified customers of this additional exposed personal information even though there is no evidence that it was disseminated or used for fraud.

Fines and estimated losses

Capital One said that the incident is expected to generate costs of $100 to $150 million due to customer notifications, free credit monitoring services, security improvement costs, and legal fees.

However, the bank also added that it had cybersecurity insurance that will cover up to $400 million with a $10 million deductible.

Last year, Capital One was fined $80 million by the Office of the Comptroller of the Currency (OCC), the US banking regulator, for its failure to protect its customers' personal and financial information.

"The OCC took these actions based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner," OCC said.