Capital One: Hackers steal 100 million Americans’ data

Credit: BBC

A hacker who obtained the names, addresses, phone numbers and birth dates of Capital One customers in the US and Canada has been arrested by the FBI.

Over 100 million Americans have had data stolen by a hacker who obtained credit scores, balances and Social Security numbers of about applicants.

Virginia-based Capital One claimed to have discovered the hack on July 19, immediately seeking help from law enforcement. The FBI complaint details that the bank was emailed two days prior, notifying them that leaked data had appeared on GitHub. A month ago, a Twitter user using the pseudonym “erratic” sent Capital One direct messages threatening to leak the bank’s data.

Paige A Thompson, the user behind “erratic”, was charged with a single count of computer fraud and abuse, in Seattle. Thompson has made a first appearance in court and is in custody pending detention later this week. Thompson’s residence was raided on Monday, with digital devices seized. The FBI conducted an initial search, which found files referencing Capital One and “other entities that may have been targets of attempted or actual network intrusions”.

Capital One claimed the hacker “exploited” a “configuration vulnerability” in their infrastructure. “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Chairman Richard Fairbank in a statement. “I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Thompson faces a maximum prison sentence of five years and a $250,000 (£204,713) fine.

Is it easier to hack data these days?

Like Tinder, texting and tweeting, hacking has become a mainstream tech topic as the internet as developed. No longer a concern reserved for computer geeks and IT guys, hacking is a mainstream worry: one that can affect huge swathes of people who otherwise have no more than a passing interest in the web.

The truth is that the world is online. We bank online, make friends online, our post has been redirected to virtual inboxes over the years and a lot of our shopping is conducted on Amazon. With so many accounts and profiles on websites and apps – and with every business you associate with storing their data somewhere accessible – hacking opportunities are rife.

The Capital One scare is not an isolated case. “Although some of the information in those applications (such as Social Security numbers) has been tokenised or encrypted, other information including applicants’ names, addresses, dates of birth and information regarding their credit history has not been tokenised,” the FBI warned of the situation. It is frighteningly easy to obtain such sensitive information unencrypted.


A server can host dozens of websites. That’s potentially limitless data harvested all from one website with open ports and the option to upload a profile picture.


Last year, Cambridge Analytica infamously accessed 87 million Facebook users’ data illegally. Also last year, Facebook-owned WhatsApp, admitted that hackers were able to install spyware on Android and Apple devices. Over 57 million customers of Uber had data hacked in October 2016 and a year later, Yahoo confirmed that all 3 billion of its user accounts were breached.

When hacking a website, for example, hackers look for open ports. From there, they can determine how many files are stored on the webserver. File uploads on sites are one way that attackers can find a way in: unrestricted file upload can lead to hackers performing a complete system takeover, an overloaded file system or database or even simple defacement.

A server can host dozens of websites. Hackers can find a way into a database with root privileges without too much fuss. That’s potentially limitless data harvested all from one website with open ports and the option to upload a profile picture

What happens next for Capital One?

Capital One customers across the pond are being advised to change all their passwords immediately. Checking credit cards and banking statements for suspicious activity is another given.

Capital One’s headquarters in Tysons, Virginia / Credit: Bisnow

However, that’s just the beginning for a bank who may have lost the trust of a lot of their users. Capital One has guessed that the incident will cost $100 million to $150 million in the short term. The data was posted for almost three months; Capital One’s stock was down 5% in premarket trading on Tuesday.

Despite the scare, the bank has claimed that “no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised”.

Luke Conrad

Technology & Marketing Enthusiast

Data Centre Demand Growth Continues to Surge

Brad Legge • 02nd October 2025

The proliferation of digital technologies has thrust data centres into the spotlight as linchpins of modern business infrastructure. From cloud computing to artificial intelligence (AI), these facilities support critical operations across industries. The growing interest in generative artificial intelligence (AI) has triggered a race to develop technology, driving demand for high-density data centres and significantly...

5 Signs Your ERP System is Holding You Back

Adam Palmer • 11th September 2025

Is your ERP helping you move forward — or slowing you down? For a modern business, an ERP system should be a powerful enabler. One that drives agility, delivers real-time insights, and helps drive strategic growth — not something teams feel the need to work around. Yet too often, legacy ERP systems quietly drag down...

Why Wind River is serious about moving from VMware

Paul Miller • 09th September 2025

For IT departments with limited manpower and budgets, improving the efficiency of operational management of distributed IT infrastructure is a pressing issue. Organizations burdened with licensing costs, such as the VMware issue, will want to start optimizing costs and IT resources immediately. We interviewed a vendor that is working on this trend using open technology....

TPIs are the Future of Energy Solutions

David Sheldrake SVP POWWR • 19th June 2025

The energy industry is undergoing a transformation, and Third-Party Intermediaries (TPIs), those brokers and consultants who help businesses procure energy, are at the centre of it. With growing complexity, increasing regulation, and evolving customer expectations, the role of TPIs is shifting from price-focused brokers to strategic energy advisors. While renewable energy adoption continues to reshape...

Quick Commerce and the Retail Media Revolution

Sue Azari • 11th June 2025

Quick commerce has transformed the way consumers shop, redefining convenience with near-instant delivery of groceries, meals, and household essentials. However, beyond its impact on logistics and e-commerce, quick commerce is now emerging as a major force in digital advertising. As consumer behaviours shift toward on-demand purchases, these platforms are leveraging their vast first-party data and...