Massive security breach at Capital One exposes data of 6 million Canadians

A massive data hack at credit card giant Capital One Financial has compromised the personal data of roughly six million Canadians and exposed one million social insurance numbers — making it one of the largest security breaches in Canadian history.

The incident, which affected about 106 million North American credit card holders, was announced by Capital One Financial late Monday after the alleged hacker, Paige A. Thompson, was charged with computer fraud and abuse in Seattle.

Canada’s Office of the Privacy Commissioner said Capital One has been in contact about the incident and the two are “engaging” but did not say whether it would launch an investigation.

“Given the number of people impacted and the nature of the incident, it certainly raises significant privacy concerns,” spokeswoman Anne-Marie Cenaiko said in an emailed statement.

In Canada, where Capital One provides Mastercard credit cards for Costco Wholesale’s Canadian retail network and the Hudson’s Bay Company, Capital One said approximately one million social insurance numbers were compromised. Capital One credit card applications include the option for consumers to provide their social insurance number, but only some applicants choose to provide it.

The incident also exposed the data of roughly 100 million U.S. clients, including about 140,000 Social Security numbers and 80,000 linked bank account numbers.

Most of the information obtained was on consumers and small businesses who applied for a credit card from 2005 through early 2019 and included names, addresses, postal codes, phone numbers, dates of birth and income.

Capital One said affected individuals will be notified through a “variety of channels.” Impacted Canadians will also receive free credit monitoring and identity theft insurance.

“Based on the current information provided by Capital One Financial, there is no indication at this time that this issue impacts any of our businesses’ credit cards or card applications,” said a spokeswoman for HBC, in an email.

A spokesman for Costco Canada directed all questions from The Canadian Press to Capital One.

The Capital One compromise is one of the biggest-ever breaches to impact Canadians — six million is a large chunk of the country’s population, said David Masson, director of enterprise security for cybersecurity firm Darktrace.

“These were economically active members of the Canadian population. So if you strip out young people, those who have retired, this … figure becomes even more statistically significant.”

Finance Minister Bill Morneau said he has asked the Office of the Superintendent of Financial Institutions, to investigate the breach and ensure that “appropriate steps” are taken to protect Canadians.

“We are deeply concerned by the unacceptable breach at Capital One… Affected Canadians should contact Capital One immediately. We are working on this vigilantly,” he said on Twitter on Tuesday.

He added that Public Safety Minister Ralph Goodale is also in touch with his counterparts in the U.S. about the matter.

The financial services regulator is “monitoring the situation closely,” said OSFI spokesman Colin Palmer.

“When incidents like this occur, OSFI stays in close contact with the financial institution to ensure everything is being done to address the situation as quickly as possible,” he said in a emailed statement.

At this time, the Capital One data breach is being investigated by the Federal Bureau of Investigation in the United States and we would refer you to that agency for comment.

A spokeswoman for the RCMP said the breach is being investigated by the Federal Bureau of Investigation in the United States, and that Canada’s federal police force is “prepared to assist upon request”.

Capital One said that it was unlikely that the information was used for fraud, but Masson said that once data has left secure channels, there is always the possibility of compromise.

“If that information has gone somewhere else, it is now possible for somebody else to use the exact same information to obtain a credit card, bank account, a loan, a mortgage, a financial instrument,” he said.

“That’s why it’s so serious. In the modern world, that kind of data is almost effectively currency that can be bought and sold, particularly on the dark web.”

In addition to credit card application data such as phone numbers, email addresses, dates of birth and self-reported income, the hacker was also able to access credit scores, credit limits and balances, as well as fragments of transaction information from a total of 23 days in 2016, 2017 and 2018.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Capital One CEO Richard Fairbank in a news release. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Capital One said it could not provide information on several questions posed by The Canadian Press, including how many and which branded credit cards were affected and how many of those had their SIN compromised.

The company said it was in the process of notifying impacted customers, but would not elaborate on how or when it would contact consumers.

Under new federal privacy rules that came into force in November, organizations are obligated to report a breach involving personal information under its control if there is a “real risk of significant harm” to an individual. Organizations must also notify the persons impacted and detail, among other things, the circumstances, the personal information compromised and steps the firm has taken to reduce harm.

The security breach is just the latest in a string of data hacks that have affected Canadians in recent years, including at U.S. companies such as Uber and Equifax.

In Canada, Desjardins Group revealed a data breach in June that saw the leak of names, addresses, birthdates, social insurance numbers and other private information from roughly 2.7 million people and 173,000 businesses.

In May, Freedom Mobile confirmed that it had been the victim of a security breach, but said the number of customers potentially exposed to the breach numbered 15,000. Researchers at vpnMentor, who discovered the breach and alerted the company, claimed that up to 1.5 million customers had been potentially affected.

Just Posted

Environment groups warned saying climate change is real could be seen as partisan

OTTAWA — A pre-election chill has descended over some environment charities after… Continue reading

Vikings Days a celebration of Danish immigration, culture

The Danish Canadian Museum near Dickson held its annual Viking Days celebration… Continue reading

Red Deer would be the site of potential TV show

A potential TV show aims to bring Red Deer kids across the… Continue reading

WATCH: ‘Lots to see and do’ at Pioneer Days in Red Deer

Sunnybrook Farm Museum is celebrating its 24th annual Pioneer Days this weekend.… Continue reading

Your community calendar

Thursday The Red Deer and District Garden Club hosts its annual Flower… Continue reading

34% of economists in survey expect a US recession in 2021

WASHINGTON — A number of U.S. business economists appear sufficiently concerned about… Continue reading

Ontario cannabis retailer returns $2.9M in CannTrust products to company

VAUGHAN, Ont. — CannTrust Holdings Inc. says the Ontario government’s cannabis retailer… Continue reading

Pipeline rupture sends 40,000 litres of oil into Alberta creek

DRAYTON VALLEY, Alta. — The Alberta Energy Regulator says a pipeline has… Continue reading

Chrystia Freeland condemns violence in Hong Kong, backs right to peaceful assembly

OTTAWA — Foreign Affairs Minister Chrystia Freeland has condemned violence in Hong… Continue reading

Turtles, butterflies and foxes: Captive breeding for endangered species growing

LANGLEY, B.C. — The turtle in my hand dangles its churning feet… Continue reading

Saskatoon Cubs win Westerns with wild extra-innings comeback

The Saskatoon Cubs showed no quit in the finals of the 18UAAA… Continue reading

Canada ‘disappointed’ terror suspect’s British citizenship revoked

OTTAWA — The United Kingdom is shirking its share of the international… Continue reading

Most Read