A former tech worker in Seattle faces federal charges in a Capital One data breach estimated to impact 106 million people in the U.S. and Canada.
Paige A. Thompson, 33, bypassed a firewall and gained access to Capital One servers, downloading personal data including birth dates and credit scores, the FBI alleges.
Thompson is accused of posting the information on the software development site GitHub, where a user alerted Capital One on July 19, the FBI said.
The FBI arrested Thompson on Monday and charged her with computer fraud and abuse.
In a news release Monday evening, Capital One -- which has a headquarters in Tysons -- said officials immediately fixed the "configuration vulnerability that this individual exploited and promptly began working with federal law enforcement."
Capital One said an initial assessment shows it is unlikely the breached information was used for fraud, but the investigation continues.
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Richard D. Fairbank, Chairman and CEO. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
Based on the company's analysis to date, the event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.
No credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised, Capital One said.
The largest category of information accessed was information on consumers and small businesses as of the time they applied for credit card products from 2005 through early 2019.
The information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:
- Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
- Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
No bank account numbers or Social Security numbers were compromised, other than:
- About 140,000 Social Security numbers of our credit card customers
- About 80,000 linked bank account numbers of our secured credit card customers
Capital One said it will notify affected individuals through a "variety of channels" and make free credit monitoring and identity protection available to everyone affected.
For more information about this incident and what Capital One is doing to respond, visit www.capitalone.com/facts2019.