Capital One Breach: One of the Largest Financial Data Exposures in U.S. History
In 2019, Capital One suffered one of the most significant financial data breaches in U.S. history, compromising the personal information of approximately 106 million individuals across the U.S. and Canada. The breach exposed sensitive data, including Social Security numbers, credit scores, bank account details, and application records from credit card applicants dating back to 2005 regardless of whether they became customers.
How the Breach Unfolded
The attack was carried out by Paige Thompson, a former Amazon Web Services (AWS) software engineer. Exploiting a misconfigured web application firewall in Capital One’s cloud infrastructure, Thompson used a server-side request forgery (SSRF) attack to extract temporary AWS credentials. These credentials granted her access to hundreds of Capital One’s data storage buckets, allowing her to exfiltrate data between March 22–23, 2019.
Capital One remained unaware of the breach until July 17, 2019, when an external GitHub user reported Thompson’s online posts under the alias "erratic." The company confirmed the intrusion on July 19, notified the FBI, and publicly disclosed the breach on July 29. Investigators traced Thompson through her digital footprint, leading to her arrest in late July after discovering stolen data on her devices.
Legal and Financial Fallout
Thompson’s actions were well-documented she openly discussed the breach on GitHub, Slack, and social media, using her real name and online handle. In June 2022, she was convicted on seven counts, including wire fraud and unauthorized computer access. Initially sentenced to time served plus probation in October 2022, an appeals court ruled in March 2025 that the penalty was too lenient, ordering a resentencing.
Capital One faced severe regulatory and legal consequences:
- $80 million fine from the Office of the Comptroller of the Currency (OCC) the first major cloud-related penalty.
- $190 million class-action settlement for affected customers, with payouts ranging from $75 to $25,000 depending on documented damages.
- Federal Reserve enforcement actions, including a cease-and-desist order requiring improved risk management.
- Ongoing oversight until regulators confirmed compliance in 2022 (OCC) and 2023 (Fed).
Scope of the Compromised Data
The breach exposed a vast array of personal and financial details:
- 106 million records: Names, addresses, phone numbers, emails, dates of birth, and self-reported income.
- 140,000 U.S. Social Security numbers and 1 million Canadian Social Insurance numbers.
- 80,000 linked bank account numbers (secured credit card customers).
- Credit scores, limits, balances, and payment histories for existing customers.
- No credit card numbers or login credentials were stolen, per Capital One’s disclosure.
A 2021 follow-up investigation revealed an additional 4,700 exposed Social Security numbers beyond the initial count.
Security Failures and Remediation
Capital One’s breach stemmed from critical cloud security lapses, including:
- A misconfigured firewall that enabled the SSRF attack.
- Inadequate internal audits failing to detect the vulnerability before migration to AWS.
- Delayed detection the breach went unnoticed for four months until an external tip.
Post-breach, Capital One patched the vulnerability, revoked compromised credentials, and overhauled its cloud security protocols. Regulators cited the company’s lack of effective risk assessment processes before its cloud migration.
Long-Term Impact
While Capital One stated there was no evidence of fraudulent use of the stolen data, the breach’s scale ensured long-term risks. Exposed information particularly SSNs and financial details remains valuable to cybercriminals, fueling identity theft, phishing, and data broker exploitation.
The incident underscored the high stakes of cloud security misconfigurations, resulting in over $270 million in fines and settlements and years of regulatory scrutiny. For affected individuals, the breach highlighted the persistent threat of data exposure, even years after the initial compromise.
Source: https://www.security.org/identity-theft/breach/capital-one/
Amazon Web Services (AWS) cybersecurity rating report: https://www.rankiteo.com/company/amazon-web-services
"id": "AMA1781685326",
"linkid": "amazon-web-services",
"type": "Vulnerability",
"date": "3/2019",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': '106 million individuals',
'industry': 'Banking',
'location': 'U.S. and Canada',
'name': 'Capital One',
'type': 'Financial Services'}],
'attack_vector': 'Server-Side Request Forgery (SSRF)',
'customer_advisories': 'Yes (public disclosure, class-action settlement '
'details)',
'data_breach': {'data_exfiltration': 'Yes (between March 22–23, 2019)',
'number_of_records_exposed': '106 million',
'personally_identifiable_information': ['Names',
'Addresses',
'Phone Numbers',
'Emails',
'Dates of Birth',
'Social Security '
'Numbers',
'Self-Reported '
'Income'],
'sensitivity_of_data': 'High (Social Security numbers, bank '
'account numbers, credit histories)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Financial Data',
'Credit Scores',
'Bank Account Details',
'Application Records']},
'date_detected': '2019-07-17',
'date_publicly_disclosed': '2019-07-29',
'description': 'In 2019, Capital One suffered one of the most significant '
'financial data breaches in U.S. history, compromising the '
'personal information of approximately 106 million individuals '
'across the U.S. and Canada. The breach exposed sensitive '
'data, including Social Security numbers, credit scores, bank '
'account details, and application records from credit card '
'applicants dating back to 2005 regardless of whether they '
'became customers.',
'impact': {'brand_reputation_impact': 'Severe (long-term risks of identity '
'theft and phishing)',
'data_compromised': '106 million records (names, addresses, phone '
'numbers, emails, dates of birth, '
'self-reported income, Social Security '
'numbers, bank account numbers, credit scores, '
'limits, balances, payment histories)',
'financial_loss': '$270 million (fines and settlements)',
'identity_theft_risk': 'High (exposed Social Security numbers and '
'financial details)',
'legal_liabilities': 'Class-action settlement, regulatory fines, '
'federal enforcement actions',
'operational_impact': 'Overhaul of cloud security protocols, '
'regulatory oversight until 2023',
'payment_information_risk': 'Low (no credit card numbers or login '
'credentials stolen)',
'systems_affected': 'AWS cloud infrastructure, data storage '
'buckets'},
'initial_access_broker': {'entry_point': 'Misconfigured web application '
'firewall (AWS)',
'high_value_targets': 'Data storage buckets'},
'investigation_status': 'Closed (conviction in 2022, resentencing in 2025)',
'lessons_learned': 'Critical cloud security lapses (misconfigured firewall, '
'inadequate audits, delayed detection). Importance of risk '
'assessment before cloud migration.',
'post_incident_analysis': {'corrective_actions': ['Patched vulnerability',
'Revoked compromised '
'credentials',
'Overhauled cloud security '
'protocols',
'Enhanced monitoring'],
'root_causes': ['Misconfigured firewall enabling '
'SSRF attack',
'Inadequate internal audits',
'Delayed detection (4 months)']},
'ransomware': {'data_exfiltration': 'Yes'},
'recommendations': 'Improve cloud security protocols, enhance internal '
'audits, implement real-time monitoring for unauthorized '
'access.',
'references': [{'source': 'Capital One Public Disclosure'},
{'source': 'FBI Investigation'},
{'source': 'Office of the Comptroller of the Currency (OCC)'},
{'source': "GitHub/Social Media (Paige Thompson's posts)"}],
'regulatory_compliance': {'fines_imposed': ['$80 million (OCC)',
'$190 million (class-action '
'settlement)'],
'legal_actions': 'Cease-and-desist order, federal '
'oversight until 2023',
'regulations_violated': ['Gramm-Leach-Bliley Act '
'(GLBA)',
'Federal Reserve '
'Regulations'],
'regulatory_notifications': 'Yes (OCC, Federal '
'Reserve)'},
'response': {'communication_strategy': 'Public disclosure on July 29, 2019',
'containment_measures': 'Patched vulnerability, revoked '
'compromised credentials',
'enhanced_monitoring': 'Yes',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes (FBI)',
'remediation_measures': 'Overhaul of cloud security protocols, '
'enhanced monitoring'},
'threat_actor': 'Paige Thompson (former Amazon Web Services software '
'engineer)',
'title': 'Capital One Breach: One of the Largest Financial Data Exposures in '
'U.S. History',
'type': 'Data Breach',
'vulnerability_exploited': 'Misconfigured web application firewall in cloud '
'infrastructure'}