Just days after Equifax and the government settled the largest data breach in history, Capital One disclosed what may be the second-largest.
The Virginia-based bank reports that a hacker accessed the records of around 100 million consumers in the U.S. and Canada. In 2017, hackers penetrated Equifax’s network and stole personal data on 147 million Americans.
According to the bank, the breach may have occurred in March of this year. On July 17, an external security researcher reported a configuration vulnerability that the company confirmed two days later. It further says the accused hacker has been arrested and that it is “unlikely that the information was used for fraud or disseminated” by this individual.
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Richard Fairbank, Capital One’s chairman and CEO. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
Capital One said it believes the breach, which was discovered July 19, affected approximately 100 million people in the United States and around 6 million in Canada. The company said its investigation to date shows no credit card account numbers or log-in credentials were compromised, and neither were over 99 percent of Social Security numbers.
Most of the accessed information concerned consumers and small businesses that applied for a Capital One credit card from 2005 to the present. The information includes names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
The intruder was also able to access 140,000 Social Security numbers and 80,000 linked bank account numbers of secured credit card customers. Nearly 1 million Canadian Social Insurance numbers were compromised in the incident.
Capital One said it will notify affected consumers using a variety of channels. It will also provide free credit monitoring and identity protection available to everyone affected.
Last week, Equifax agreed to pay $425 million to settle Consumer Financial Protection Bureau (CFPB) charges stemming from its 2017 data breach. In all, the company could pay up to $700 million in total relief due to other penalties.