A hacker gained access to 100 million Capital One credit card applications and accounts.
The bank says about 140,000 Social Security numbers of its credit card customers and around 80,000 linked bank account numbers were compromised.
No Credit Card account numbers or log-in credentials were exposed.
Capital One issues guidelines on how to shore up account security in the wake of its data breach, which affected about 100 million people.
The recommended actions include receiving activity alerts, reporting suspicious purchases to Capital One and keeping vigilant about possible phishing. (See below)
In one of the biggest data breaches ever, a hacker gained access to more than 100 million Capital One customers' accounts and credit card applications earlier this year.
Paige Thompson is accused of breaking into a Capital One server and gaining access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people's names, addresses, credit scores, credit limits, balances, and other information, according to the bank and the US Department of Justice.
However, "no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised," the company noted.
A criminal complaint says Thompson tried to share the information with others online. The 33-year-old, who lives in Seattle, had previously worked as a tech company software engineer for Amazon (AMZN) Web Services, the cloud hosting company that Capital One was using, the Justice Department said.
Thompson was arrested Monday in connection with the breach, the Justice Department said. Thompson's attorney could not be immediately reached for comment.
Capital One (COF) said the hack occurred March 22 and 23. The company indicated it fixed the vulnerability and said it is "unlikely that the information was used for fraud or disseminated by this individual." However, the company is still investigating.
"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right," said Capital One CEO Richard Fairbank in a statement.
Capital One said it will notify people affected by the breach and will make free credit monitoring and identity protection available.
Capital One has issued guidelines on how to determine if your credit card account was affected by the data breach and steps you can take to shore up security.
The company said Monday the largest category of jeopardized data was information on consumers and small businesses as of the time they applied for credit card products from 2005 through early 2019.
The data included personal information the company said it collects at the time it receives card applications, including names, addresses, ZIP codes, phone numbers, email addresses, dates of birth and self-reported income.
Beyond that application data, it said, the hacker also gained access to credit card data including credit scores, limits, balances and payment history as well as fragments of transactions data from a total of 23 days during 2016, 2017 and 2018.
Here are the guidelines to determine if your information had been accessed as well as instructions on how to shore up account security.
Capital One will notify affected individuals through “a variety of channels” and offer free credit monitoring and identity protection available to all affected.
Capital One believes “it is unlikely that the information was used for fraud or disseminated.”
Enroll in account text and/or email alerts to help keep track of activity.
Monitor credit card accounts for unusual or suspicious activity.
Call the number on the back of the credit card if unusual activity is observed.
Stay vigilant about the possibility of phishing emails and calls following the breach. Phishing is a malicious attempt to access personal information or bank accounts by posing as a legitimate company or official.
Capital One is not calling customers to ask for credit card or account information or Social Security numbers over the phone or via email.
Report emails suspected of phishing activity by forwarding it to the official Capital One security account, firstname.lastname@example.org. Do not reply to suspicious emails and delete them after forwarding them to Capital One.
For more information and updates on how to tell if you’ve been affected, customers can visit the Capital One website established for this breach, https://www.capitalone.com/facts2019.