Capital One Bank on Tuesday announced it was the target of a security breach affecting some 100 million customers in the U.S. and about 6 million in Canada.
The incident occurred on July 19, 2019 when an outside individual accessed certain types of personal information from applications submitted for credit card products and that of Capital One credit card customers. Capital One said affected customers will be notified “through a variety of channels,” and that it would make credit monitoring and identity protection services available to those affected.
According to the financial institution, the vulnerability that was used to access the information was immediately fixed and an individual has been arrested by the FBI and is currently in custody.
The biggest chunk of affected information belonged to consumers and small businesses who applied for credit card products from 2005 through the early part of this year, including personal information like names, addresses, zip codes, phone numbers, email address, birth dates and self-reported income.
Other portions of credit card customer data obtained during the incident include “customer status data,” like credit scores, limits, balances, payment history and contact information; and parts of transaction data from 23 total days during 2016, 2017 and 2018, Capital One said.
It was not immediately clear, and Capital One did not respond by press time, as to how many New Jersey customers were affected during the incident. The bank operates in more than 50 locations in the state.
Less than 1 percent of customers affected during the incident had their Social Security Numbers compromised (about 140,000 people) and approximately 80,000 linked bank accounts for secured credit card customers were affected.
“Safeguarding our customers’ information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses,” the company said in a news release announcing the incident.
Capital One said it expects the incident to cost the company between $100 and $150 million in 2019, driven largely by notifying customers, legal support, credit monitoring and technology costs. The company does carry insurance to cover certain cyber-related event costs that is subject to a $10 million deductible, and standard exclusions, with a $400 million coverage limit.
More information about the incident and follow up action can be found here.