On the same day as Capital One’s announcement, a criminal complaint was filed against Paige A. Thompson. The complaint alleges that Thompson exploited a vulnerability in Capital One’s firewall configuration to exfiltrate and then publish data related to credit card applications, including names, addresses, birth dates, and credit history information for tens of millions of individuals, and social security numbers and bank account information for several hundred thousand individuals.
On July 29, 2019, Capital One announced that it had determined that an unauthorized individual had accessed its systems and obtained personal information about Capital One credit card customers and credit applicants, and that approximately 106 million individuals in the US and Canada were affected by the incident. Capital One noted that 80,000 bank account numbers, 140,000 social security numbers, and 1 million Canadian Social Insurance numbers had been compromised, but that no credit card account numbers or log-in credentials had been exposed. The breach was discovered following a report by an “external security researcher” on July 17, 2019 of a vulnerability in the company’s firewall configuration.