Capital One data theft may affect tens of millions, U.S. says

Capital One Financial Corp. lost data from as many as tens of millions of credit card applications after a Seattle woman hacked into a cloud-computing company server, federal prosecutors in Seattle said.

The woman, Paige A. Thompson, was arrested Monday and appeared in federal court in Seattle. The data theft occurred between March 12 and July 17, prosecutors said. The cloud-computing company, on whose servers Capital One rented space, wasn’t identified in court papers.

The largest category of data stolen was supplied by consumers and small businesses when they applied for credit cards from 2005 through early 2019, the bank said. It included personal identification data, including names, addresses, phone numbers and dates of birth, and financial data including self-reported income, credit scores and fragments of transaction history. About 140,000 Social Security numbers were accessed, as well as 80,000 bank account numbers from credit-card customers, the bank said.

“I am deeply sorry for what has happened,” Capital One Chief Executive Richard D. Fairbank said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected.”

In court on Monday, Thompson broke down and laid her head down on the defense table during the hearing. She is charged with a single count of computer fraud and faces a maximum penalty of five years in prison and a $250,000 fine.

U.S. Magistrate Judge Mary Alice Theiler ordered Thompson to be held. A bail hearing is set for Thursday.

Capital One, based in McLean, Va., has been one of the most vocal advocates for using cloud services among banks. The lender has said it is migrating an increasing percentage of its applications and data to the cloud and plans to completely exit its data centers by the end of 2020, a move the company says will help lower costs.