Massive security hack at credit card giant Capital One exposes data of 106 million North Americans, including six million Canadians
Credit monitoring and identity theft insurance offered
A massive data hack at credit card giant Capital One Financial has compromised the personal data of roughly six million Canadians and exposed one million social insurance numbers — making it one of the largest security breaches in Canadian history.
The incident, which affected about 106 million North American credit card holders, was announced by Capital One Financial late Monday after the alleged hacker, Paige A. Thompson, was charged with computer fraud and abuse in Seattle.
Canada’s Office of the Privacy Commissioner said Capital One has been in contact about the incident and the two are “engaging” but did not say whether it would launch an investigation.
“Given the number of people impacted and the nature of the incident, it certainly raises significant privacy concerns,” spokesperson Anne-Marie Cenaiko said in an emailed statement.
In Canada, where Capital One provides Mastercard credit cards for Costco Wholesale’s Canadian retail network and the Hudson’s Bay Company, Capital One said approximately one million social insurance numbers were compromised. Capital One credit card applications include the option for consumers to provide their social insurance number, but only some applicants choose to provide it.
The incident also exposed the data of roughly 100 million U.S. clients, including about 140,000 Social Security numbers and 80,000 linked bank account numbers.
Most of the information obtained was on consumers and small businesses who applied for a credit card from 2005 through early 2019 and included names, addresses, postal codes, phone numbers, dates of birth and income.
Capital One said affected individuals will be notified through a “variety of channels.” Impacted Canadians will also receive free credit monitoring and identity theft insurance.
“Based on the current information provided by Capital One Financial, there is no indication at this time that this issue impacts any of our businesses’ credit cards or card applications,” said a spokesperson for HBC, in an email.
A spokesperson for Costco Canada directed all questions from The Canadian Press to Capital One.
The Capital One compromise is one of the biggest-ever breaches to impact Canadians — six million is a large chunk of the country’s population, said David Masson, director of enterprise security for cybersecurity firm Darktrace.
“These were economically active members of the Canadian population. So if you strip out young people, those who have retired, this ... figure becomes even more statistically significant.”
Finance Minister Bill Morneau said he has asked the Office of the Superintendent of Financial Institutions, to investigate the breach and ensure that “appropriate steps” are taken to protect Canadians.
“We are deeply concerned by the unacceptable breach at Capital One ... Affected Canadians should contact Capital One immediately. We are working on this vigilantly,” he said on Twitter on Tuesday.
He added that Public Safety Minister Ralph Goodale is also in touch with his counterparts in the U.S. about the matter.
The financial services regulator is “monitoring the situation closely,” said OSFI spokesperson Colin Palmer.
Capital One said that it was unlikely that the information was used for fraud, but Masson said that once data has left secure channels, there is always the possibility of compromise.
“If that information has gone somewhere else, it is now possible for somebody else to use the exact same information to obtain a credit card, bank account, a loan, a mortgage, a financial instrument,” he said. “That’s why it’s so serious. In the modern world, that kind of data is almost effectively currency that can be bought and sold, particularly on the dark web.”
In addition to credit card application data such as phone numbers and dates of birth, the hacker was also able to access credit scores, credit limits and balances.