WASHINGTON - The fifth-biggest credit card issuer in the US Capital One said Monday that the personal information of more than 100 million customers was compromised during a massive data breach by a hacker.
"Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada," Capital One said in a statement.
Some critical personal information, including the Social Security numbers of about 140,000 credit card customers, about 80,000 linked bank account numbers of secured credit card customers and about 1 million social insurance numbers of the bank's Canadian credit card users, was compromised.
The credit card application information of consumers and small businesses from 2005 through early 2019 was the largest category of information breached by the hacker, which includes names, addresses, zip codes or postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Other personal information, including credit scores, credit limits, balances, payment history, contact information and fragments of transaction data, was also compromised, said the bank.
Even though the scale of the breach is quite astonishing, the Virginia-based bank said "no credit card account numbers or log-in credentials were compromised" and "over 99 percent of Social Security numbers were not compromised" based on its investigation.
Paige Thompson, a 33-year-old former software engineer, was arrested in connection with the massive data breach, the U.S. Department of Justice said Monday.
The bank has "immediately fixed the configuration vulnerability" Thompson exploited, and promises to notify customers affected and provide them with free credit monitoring and identity protection, according to the statement.
"I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right," said Richard D. Fairbank, CEO of Capital One.
The breach could have a negative impact on Capital One's financial performance. The incident is expected to generate incremental costs of approximately $100 to $150 million in 2019, mostly driven by "customer notifications, credit monitoring, technology costs and legal support," said the bank.