With over 100 million individuals’ records exposed, US Congress is questioning Capital One on why data for its clients was accessible.
In one of the largest data breaches to date, Capital One (NYSE:COF) revealed on Monday (July 29) that over 100 million individuals’ data was hacked. It was discovered that the hacker is a former Amazon (NASDAQ:AMZN) software engineer based in Seattle.
Of the users whose data was breached, 6 million are based in Canada and 100 million are in the US. Social insurance numbers, bank account numbers and credit card applications were all compromised.
The hacker, 33 year old Paige Thompson, was discovered after boasting about the incident online on a hacker website, Internet Relay Chat (IRC).
Thompson was later discovered to have been talking about the hack on various sites, including IRC, since mid-June. In July, the breached data was posted on GitHub, a web-hosting site.
Much of the compromised data was from credit card applications made between 2005 and 2019, Capital One said in a press release. The scale of information includes addresses, birthdates and income, in addition to credit scores and credit limits.
The company advised that the issue has been resolved and that it has advanced anti-fraud systems in place. Clients whose data was implicated will be contacted directly.
“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right,” said Capital One CEO Richard D. Fairbank.
On Thursday (August 1), US Congress called on both Capital One and Amazon to explain in more detail the scope of the data breach. Representative Jim Jordan (R-OH), part of the House Oversight and Reform Committee, wrote a letter directly to the companies requesting this information. A detention hearing is scheduled for August 15.
“We want to understand how this happened, how other breaches happened … and we want to know how vulnerabilities (appear) in systems and figure out what we must do to deal with them at a policy level,” Senator Mike Crapo (R-ID) told the Associated Press.
According to Reuters, Capital One cited infrastructure issues as part of the reason the attack was successful. Analysts suspect that its reliance on third party Amazon cloud services could be behind the core vulnerabilities in its client security issues.
“Today’s revelation reminds investors of the trust that financial institutions place in their client-facing employees and highlights risks of outsourcing any part of client-facing operations,” Morgan Stanley (NYSE:MS) analyst Betsey Grasek told Reuters.
The Capital One incident marks the largest data breach since the Equifax debacle in September 2017, in which over 145 million individuals’ data was exposed. Equifax was fined US$575 million to US$700 million by the Federal Trade Commission in a settlement for the absence of integrating adequate cybersecurity measures for its clients. The settlement was finalized on July 22 of this year.
Shares of Capital One have declined almost 7 percent since the announcement on Monday, closing at US$91.30 on Thursday.
Don’t forget to follow us @INN_Technology for real-time news updates.
Securities Disclosure: I, Dorothy Neufeld, hold no direct investment interest in any company mentioned in this article.