Capital One reveals historic data breach after FBI arrests Seattle suspect

Capital One revealed a massive data breach today that affected more than 100 million people, exposing credit card applications, bank account information and Social Security numbers in possibly the biggest bank breach ever.

The bank announced the hack the same day the FBI arrested a suspect, Paige A. Thompson, who worked for Amazon Web Services years before the digital theft took place.

Capital One said it discovered the breach on July 19 after details of the hack were posted on the code sharing website GitHub. The complaint filed against Thompson in the District Court for the Western District of Washington at Seattle said the breach occurred between March 12 and July 17. The bank, one of the largest issuers of credit cards in the country, identified the precise dates as March 22 and 23.

The Justice Department identified Thompson as a former Seattle technology company software engineer. Thompson worked for AWS from 2015 to 2016. The cloud computing giant is competing for a $10 billion cloud computing contract at the Pentagon.

"An individual who was arrested in conjunction with this investigation is a former employee, though they left the company roughly three years before any of this took place," an Amazon spokesperson said.

"AWS was not compromised in any way and functioned as designed," the spokesperson said. "The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud."

The majority of the nearly 100 million U.S. individuals and 6 million Canadians affected were from small businesses that applied for credit cards between 2005 and 2019, according to the bank. The compromised data included information common to such applications, including dates of birth and self-reported income, Capital One said.

In some cases, the breach included access of other information, such as 140,000 Social Security numbers for credit card customers and 80,000 linked bank account numbers.

"Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual," Capital One said in a statement.

Capital One will provide free credit monitoring to victims, the company said. It also said it had identified the vulnerabilities exploited and fixed them.

Capital One said the costs it will incur for credit monitoring and other associated costs would total $100-150 million in 2019. The company carries a total coverage limit of $400 million in cybersecurity insurance.