Millions of Canadians caught in Capital One security breach

Some social insurance numbers accessed

Six million Canadians are affected.

If you have a Capital One credit card, you may be one of them.

The company says its database was hacked and personal information (names, addresses, credit scores and more) snatched, including a million social insurance numbers. No credit card numbers or logins were accessed.

Capital one does not believe any of the information was used for fraud or dissemination but continues to investigate.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

– Richard D. Fairbank, Chairman and CEO, Capital One

The breach appears to affect mainly consumer and small businesses who applied for credit card products between 2005 through the early part of this year.

As many as 100-million U.S. customers are affected.

A 33-year-old software engineer has been arrested and charged with computer fraud.

Capital One says it will be in contact with customers impacted by the hack and will offer free credit monitoring and identity protection to everyone affected.

Answers to certain questions related to the cybersecurity incident follow. 

What was the vulnerability that led to this incident?
We believe that a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure. When this was discovered, we immediately addressed the configuration vulnerability and verified there are no other instances in our environment. Among other things, we also augmented our routine automated scanning to look for this issue on a continuous basis.

How did you discover the incident? 
Like many companies, we have a responsible disclosure program which provides an avenue for ethical security researchers to report vulnerabilities directly to us. The configuration vulnerability was reported to us by an external security researcher through our Responsible Disclosure Program on July 17, 2019. We then began our own internal investigation, leading to the July 19, 2019, discovery of the incident.

When did this occur?
On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers. This occurred on March 22 and 23, 2019.

Was the data encrypted and/or tokenized?
We encrypt our data as a standard. Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data.

However, it is also our practice to tokenize select data fields, most notably Social Security numbers and account numbers. Tokenization involves the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data. Tokenized data remained protected.

Did this vulnerability arise because you operate on the cloud?
This type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data center environments.

The speed with which we were able to diagnose and fix this vulnerability, and determine its impact, was enabled by our cloud operating model.

source: Capital One