Latest News

Capital One Data Breach Impacts Six Million Customers in Canada

Capital One Data Breach Impacts Six Million Customers in Canada

By Simon Hung

Credit card issuer Capital One has disclosed details of a recent security breach impacting approximately 100 million customers across North America, including six million in Canada.

Capital One, who issue several Mastercard credit cards in Canada including a Costco-exclusive Mastercard and the Hudson’s Bay Rewards Mastercard, discovered the breach on July 19 following an internal investigation that uncovered a security vulnerability that allowed an individual to gain unauthorized access to their customer database on March 22 and 23. The perpetrator has since been arrested by the FBI.

In their statement, the company notes that customers who applied for a Capital One credit card between 2005 and early-2019 may be affected, with a lengthy list of potentially leaked personal information including:

  • Names, addresses, postal codes, phone numbers, email addresses, dates of birth and income
  • Customer status data including credit scores, credit limits, account balances and payment history
  • Fragments of transaction data spanning 23 days in 2016, 2017 and 2018
  • Approximately one million Canadian Social Insurance Numbers

All affected customers will be notified through numerous channels and offered free credit monitoring services and identity theft protection.

Capital One notes credit card numbers and online log-in credentials were not compromised during the incident and believe the stolen data was not disseminated or used for fraud by the perpetrator.

The company is advising customers to be vigilant of any suspicious activity on their account and be wary of fraudulent emails. Concerned customers can contact Capital One directly at 1-833-727-1234 or check the dedicated website for more information and updates about the incident.

____________________

Source: Capital One Canada, with reports from CBC

39 Comments

    • Hmm, another FI compromised. I'm shocked, I tell you...shocked!
    • Report Post
    • Here we go again. Yikes.
    • Report Post
    • Just logged in my C1 account to see this.

      Of course we have to rely on them to properly reach out to the 6 million people affected to get the free credit monitoring instead of just making it available to everyone. :rolleyes:
    • Report Post
    • “The FBI has arrested the person responsible for this cyber incident. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual.”
      Meanwhile, the Desjardins guy still hasn’t been arrested. I know I shouldn’t compare both cases, but still...
    • Report Post
    • Seems like the leaked data was stored on Amazon S3 and the perpetrator is a former Amazon software engineer named Paige A. Thompson, 33. You can view the formal complaint filed with the U.S District Court here.
    • Report Post
    • bobohobo2kx wrote:
      I don't think this is accurate. The formal complaint filing says information obtained from the intrusion was posted on GitHub. You can view the complaint here.
      Interesting. That’s what they’re saying in the Canadian statement at least.

      https://www.capitalone.ca/facts2019/
    • Report Post
    • Sauerkraut wrote:
      Jul 29th, 2019 7:24 pm
      Hmm, another FI compromised. I'm shocked, I tell you...shocked!
      Me too. This is becoming everyday story. sad.
    • Report Post
    • Hopefully a class action lawsuit will soon be launched. It's an absolute disgrace for this to happen and I hope they're hit with huge fines for being so careless.
    • Report Post
    • F3el96 wrote:
      Jul 29th, 2019 7:54 pm
      Interesting. That’s what they’re saying in the Canadian statement at least.

      https://www.capitalone.ca/facts2019/
      So I think the complaint and press release are both right. The information posted on GitHub didn't contain any customer information. I re-read the complaint and the GitHub file posted by the Hacker contained commands/instructions on how to execute the hack as well as a list of folders from Capital One's cloud storage. Customer information wasn't posted publicly.
    • Report Post
    • They say you can:
      Additionally, you can request both credit bureaus in Canada - Equifax and TransUnion, to place a fraud alert on your credit report. The alerts on both bureaus stays for 6 years

      I thought you couldn't do this in Canada???
    • Report Post
    • wra45mon wrote:
      Jul 29th, 2019 9:00 pm
      They say you can:
      Additionally, you can request both credit bureaus in Canada - Equifax and TransUnion, to place a fraud alert on your credit report. The alerts on both bureaus stays for 6 years

      I thought you couldn't do this in Canada???
      Great - and then everything you apply for online is 'held' until you call in to verify who you are.
    • Report Post
    • Would this include HBC credit cards?
    • Report Post
    • BigJonsson wrote:
      Jul 29th, 2019 9:18 pm
      Would this include HBC credit cards?
      Yes
    • Report Post
    • Well, hopefully the hacker didn't share the data and no other intrusions were made
    • Report Post
    • According to Doc of Credit: https://www.doctorofcredit.com/capital- ... -affected/
      • No credit card numbers or log in details were stolen
      • Over 99% of social security numbers were not compromised (140,000 social security numbers were stolen & 80,000 linked bank account numbers). The social security numbers that were stolen were from customers that used their Social Security number as their Employer Identification number in applying for small business credit cards
      • Stolen data includes names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income
      • Credit credit data was also stolen:
        Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
        Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
      Dunno if that applies to stolen SIN or not.
    • Report Post
    • We had a Costco CC but canceled couple of years ago, I guess we are screwed? Other than that, we don't have anything with Capital One
    • Report Post
    • Queue the DJ Khaled "Another One" meme.....

      I just cancelled my cap1 card/account a couple of weeks ago 🙄
    • Report Post
    • I looked at Cap1 for a Costco card just to get the extended warranty. Decided it was not worth it. Sure glad I never applied.
    • Report Post
    • I wouldn't really worry about this. There's been so many breaches lately that chances are, your data was already compromised by the previous incidents :lol:
    • Report Post
    • Jon Lai wrote:
      Jul 29th, 2019 10:10 pm
      I wouldn't really worry about this. There's been so many breaches lately that chances are, your data was already compromised by the previous incidents :lol:
      That doesn't mean that I'm not going to do whatever it takes to try and not be involved with any future breaches.


      You got hurt once so you might as well continue getting hurt? 🤔
    • Report Post
    • Jon Lai wrote:
      Jul 29th, 2019 10:10 pm
      I wouldn't really worry about this. There's been so many breaches lately that chances are, your data was already compromised by the previous incidents :lol:
      Chicken dinner!!

      These days I just assume my data is out there somewhere and make preparations accordingly.
    • Report Post
    • arkane wrote:
      Jul 29th, 2019 9:39 pm
      According to Doc of Credit: https://www.doctorofcredit.com/capital- ... -affected/



      Dunno if that applies to stolen SIN or not.
      Nope, that's only for Capital One's small business credit cards in the U.S. They only have consumer credit cards in Canada. So the 6 million Canadian customer data leaked would be from your regular consumer credit card application.
    • Report Post
    • Gtaphotog wrote:
      Jul 29th, 2019 10:16 pm
      That doesn't mean that I'm not going to do whatever it takes to try and not be involved with any future breaches.


      You got hurt once so you might as well continue getting hurt? 🤔
      That's not what I meant. What I meant was more along the lines of what arkane said below:
      arkane wrote:
      Jul 29th, 2019 10:17 pm
      Chicken dinner!!

      These days I just assume my data is out there somewhere and make preparations accordingly.
    • Report Post
    • arkane wrote:
      Jul 29th, 2019 10:17 pm
      Chicken dinner!!

      These days I just assume my data is out there somewhere and make preparations accordingly.
      Best attitude to take! The breach stinks, but meh, no matter how careful a person thinks they are, it's not going to be careful enough ;)!
    • Report Post
    • Jon Lai wrote:
      Jul 29th, 2019 10:21 pm
      That's not what I meant. What I meant was more along the lines of what arkane said below:
      I understand but at the end of the day you still rather not be apart of one.
    • Report Post
    • wra45mon wrote:
      Jul 29th, 2019 9:00 pm
      They say you can:
      Additionally, you can request both credit bureaus in Canada - Equifax and TransUnion, to place a fraud alert on your credit report. The alerts on both bureaus stays for 6 years

      I thought you couldn't do this in Canada???
      I used to have this. The only annoying part is the merchant will always call you on the number you have on your credit file, before they can extend credit.
    • Report Post
    • Gtaphotog wrote:
      Jul 29th, 2019 10:22 pm
      I understand but at the end of the day you still rather not be apart of one.
      It's out of your control though. The only real way to protect yourself is to never use ANY form of credit, mortgages included. That's just not gonna fly in the 21st century.
    • Report Post
    • Can we just agree that nothing is ever secure in the age of the Internet. There is always a way to hack everything and everyone. Why can't any of these hackers ever wipe out our balances in the process?
    • Report Post
    • CC churners are most likely to be affected by future breaches, but CC churners also pay attention to their credit reports more frequent than others, to detect identity fraud etc.
    • Report Post
    • And another one bites the dust...

      This topic is hot among the Info Sec/Cyber Security folks!
    • Report Post
    • OntarioRocks wrote:
      Jul 29th, 2019 10:51 pm
      Can we just agree that nothing is ever secure in the age of the Internet. There is always a way to hack everything and everyone. Why can't any of these hackers ever wipe out our balances in the process?
      They mainly go for PII data and then sell it on the dark web. This is the crown jewels for them when it pertains to a data breach. I am curious to see if Capital One will have to pay a fine such as Equifax.

      If this was Europe, then GDPR will be all over Capital One. Look at British Airways for example that got slapped with a huge GDPR fine.
    • Report Post
    • wra45mon wrote:
      Jul 29th, 2019 9:00 pm
      They say you can:
      Additionally, you can request both credit bureaus in Canada - Equifax and TransUnion, to place a fraud alert on your credit report. The alerts on both bureaus stays for 6 years

      I thought you couldn't do this in Canada???
      You can't freeze your credit which is proactive. If fraudsters have stolen your identity a fraud alert does very little as you're informed after the fact.
    • Report Post
    • amplified wrote:
      Jul 30th, 2019 1:25 am
      You can't freeze your credit which is proactive. If fraudsters have stolen your identity a fraud alert does very little as you're informed after the fact.
      it's because of Canada LOL.
    • Report Post
    • faaaak....

      But but but... my beautiful Aspire with $120 annual - 10k pts netting me $20 annual cost for 2% on everything...

      Looking forward for another 1 year of free monitoring I guess... Hopefully this time both Transunion and Equifax
    • Report Post
    • I guess this also includes Costco mastercards as well??

      shocking 6 million affected
    • Report Post
    • Gtaphotog wrote:
      Jul 29th, 2019 10:22 pm
      I understand but at the end of the day you still rather not be apart of one.
      Doesn't matter, as soon as you turn 18, a credit file is opened in your name. You just gotta hope you're never part of a breach.
    • Report Post
    • Another security nightmare.
    • Report Post
    • My wife with the Desjardins breach, now me with this breach! Ugh!

      So at this point we just wait for a letter ?
    • Report Post
    • Messerschmitt wrote:
      Jul 30th, 2019 2:25 am
      faaaak....

      But but but... my beautiful Aspire with $120 annual - 10k pts netting me $20 annual cost for 2% on everything...

      Looking forward for another 1 year of free monitoring I guess... Hopefully this time both Transunion and Equifax
      Has Cap One offered any free monitoring service? I get free TransUnion through my bank, but is have no idea what's in Equifax.
    • Report Post