A massive data hack at credit card giant Capital One Financial has compromised the personal data of roughly six million Canadians and exposed one million social insurance numbers — making it one of the largest security breaches in Canadian history.
The incident, which affected about 106 million North American credit card holders, was announced by Capital One Financial late Monday after the alleged hacker, Paige A. Thompson, was charged with computer fraud and abuse in Seattle.
Canada’s Office of the Privacy Commissioner said Capital One has been in contact about the incident and the two are “engaging” but did not say whether it would launch an investigation.
“Given the number of people impacted and the nature of the incident, it certainly raises significant privacy concerns,” spokeswoman Anne-Marie Cenaiko said in an emailed statement.
In Canada, where Capital One provides Mastercard credit cards for Costco Wholesale’s Canadian retail network and the Hudson’s Bay Company, Capital One said approximately one million social insurance numbers were compromised. Capital One credit card applications include the option for consumers to provide their social insurance number, but only some applicants choose to provide it.
The incident also exposed the data of roughly 100 million U.S. clients, including about 140,000 Social Security numbers and 80,000 linked bank account numbers.
Most of the information obtained was on consumers and small businesses who applied for a credit card from 2005 through early 2019 and included names, addresses, postal codes, phone numbers, dates of birth and income.
Capital One said affected individuals will be notified through a “variety of channels.” Impacted Canadians will also receive free credit monitoring and identity theft insurance.
“Based on the current information provided by Capital One Financial, there is no indication at this time that this issue impacts any of our businesses’ credit cards or card applications,” said a spokeswoman for HBC, in an email.
A spokesman for Costco Canada directed all questions from The Canadian Press to Capital One.
The Capital One compromise is one of the biggest-ever breaches to impact Canadians — six million is a large chunk of the country’s population, said David Masson, director of enterprise security for cybersecurity firm Darktrace.
“These were economically active members of the Canadian population. So if you strip out young people, those who have retired, this … figure becomes even more statistically significant.”
Finance Minister Bill Morneau said he has asked the Office of the Superintendent of Financial Institutions, to investigate the breach and ensure that “appropriate steps” are taken to protect Canadians.
“We are deeply concerned by the unacceptable breach at Capital One… Affected Canadians should contact Capital One immediately. We are working on this vigilantly,” he said on Twitter on Tuesday.
He added that Public Safety Minister Ralph Goodale is also in touch with his counterparts in the U.S. about the matter.
The financial services regulator is “monitoring the situation closely,” said OSFI spokesman Colin Palmer.
“When incidents like this occur, OSFI stays in close contact with the financial institution to ensure everything is being done to address the situation as quickly as possible,” he said in a emailed statement.
At this time, the Capital One data breach is being investigated by the Federal Bureau of Investigation in the United States and we would refer you to that agency for comment.
A spokeswoman for the RCMP said the breach is being investigated by the Federal Bureau of Investigation in the United States, and that Canada’s federal police force is “prepared to assist upon request”.
Capital One said that it was unlikely that the information was used for fraud, but Masson said that once data has left secure channels, there is always the possibility of compromise.
“If that information has gone somewhere else, it is now possible for somebody else to use the exact same information to obtain a credit card, bank account, a loan, a mortgage, a financial instrument,” he said.
“That’s why it’s so serious. In the modern world, that kind of data is almost effectively currency that can be bought and sold, particularly on the dark web.”
In addition to credit card application data such as phone numbers, email addresses, dates of birth and self-reported income, the hacker was also able to access credit scores, credit limits and balances, as well as fragments of transaction information from a total of 23 days in 2016, 2017 and 2018.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Capital One CEO Richard Fairbank in a news release. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Capital One said it could not provide information on several questions posed by The Canadian Press, including how many and which branded credit cards were affected and how many of those had their SIN compromised.
The company said it was in the process of notifying impacted customers, but would not elaborate on how or when it would contact consumers.
Under new federal privacy rules that came into force in November, organizations are obligated to report a breach involving personal information under its control if there is a “real risk of significant harm” to an individual. Organizations must also notify the persons impacted and detail, among other things, the circumstances, the personal information compromised and steps the firm has taken to reduce harm.
The security breach is just the latest in a string of data hacks that have affected Canadians in recent years, including at U.S. companies such as Uber and Equifax.
In Canada, Desjardins Group revealed a data breach in June that saw the leak of names, addresses, birthdates, social insurance numbers and other private information from roughly 2.7 million people and 173,000 businesses.
In May, Freedom Mobile confirmed that it had been the victim of a security breach, but said the number of customers potentially exposed to the breach numbered 15,000. Researchers at vpnMentor, who discovered the breach and alerted the company, claimed that up to 1.5 million customers had been potentially affected.