Credit card provider Capital One has admitted it has fallen victim to a huge data breach that resulted in the theft of personal details of around 106 million customers in North America.
The firm revealed data gathered from consumers who were applying for a credit card were compromised, including names, addresses, zip/postal codes, phone numbers, email addresses, dates of birth and self-reported income.
In addition to this, some customer status information, including credit scores, credit limits, balances and payment history were stolen. Around 140,000 credit card customers in the US also had Social Security numbers compromised, while 80,000 people had linked bank account numbers lost.
In total, the breach is thought to have affected some 100 million people in the US, as well as six million in Canada. Around one million of the Canadian victims had Social Insurance Numbers compromised.
The FBI has been investigating the breach and arrested the person believed to be responsible for the theft on Monday, who has been identified as a Seattle-based software engineer who had boasted about the breach online. She has already appeared in court charged with computer fraud and abuse.
All those affected by the breach will be offered free credit monitoring and identity protection, though the company said it did not believe the person responsible had used the data for fraud or disseminated it prior to being arrested.
Chairman and chief executive at Capital One Richard Fairbank said: “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Capital One explained the breach had been traced back to a “misconfiguration vulnerability” in its infrastructure, which has since been addressed. This was reported to the company by an external security researcher on July 17th. The company then began its own internal investigation, leading to the discovery of the incident on July 19th.
It also added it expects costs arising from the incident to reach between $100 million (£82.17 million) and $150 million, with expenses including customer notifications, credit monitoring, technology costs and legal support.