Capital One Financial Corp., the North American bank holding giant, announced on Monday that a hacker had managed to gain access to the personal information of more than 6 million Canadians and 100 million Americans.
The company said it discovered the hack on July 19. The data was taken from Capital One’s credit card applicants and included names, addresses, zip codes, phone numbers, credit scores, and balances. Up to 140,000 social security numbers and 80,000 linked bank account numbers in the United States were also accessed by the hacker. In Canada, the social security numbers of 1 million customers were compromised.
The FBI was involved in the case and has arrested the hacker behind the incident. Paige Thompson, a 33-year-old former software engineer, was charged with computer fraud and abuse by the U.S. District Court in Seattle, after cyber investigators were able to trace the source of the hack and execute a search warrant at her residence.
Although Capital One said it is unlikely the information was used for fraud, they are offering free identity theft insurance as well as credit monitoring services to all affected customers.
Capital One’s chairman and CEO, Richard D. Fairbank, also issued a formal apology regarding the incident. “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Fairbank said. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Following the announcement of the security breach, Capital One’s stock dropped nearly 7% as of the morning of July 30.
The company said it will be notifying the individuals who were impacted by the hack through “a variety of channels,” and encourages customers to set up account alerts to keep track of activity so that they can further protect their information.
As for additional steps, Capital One advises Canadians to order a copy of their credit report from credit bureaus Equifax Canada or TransUnion Canada. The reports can be reviewed for suspicious activity, such as unfamiliar company inquiries or unauthorized accounts being opened, and contains personal data such as social insurance numbers that can be checked for accuracy. Any errors can be brought to the attention of the credit bureaus for correction.
Thompson made her first appearance in the U.S. District Court in Seattle on July 29, and will be attending a hearing scheduled for Aug. 1.