Perpetrator Arrested by Federal Law Enforcement
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said
Based on our analysis to date, this event affected approximately 100 million individuals in
Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information
- Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
- Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
No bank account numbers or
- About 140,000
Social Securitynumbers of our credit card customers
- About 80,000 linked bank account numbers of our secured credit card customers
For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.
We will notify affected individuals through a variety of channels. We will make free credit monitoring and identity protection available to everyone affected.
Safeguarding our customers' information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses.
We are very thankful to the
For more information about this incident and what
Answers to certain questions related to the cybersecurity incident follow.
What was the vulnerability that led to this incident?
We believe that a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure. When this was discovered, we immediately addressed the configuration vulnerability and verified there are no other instances in our environment. Among other things, we also augmented our routine automated scanning to look for this issue on a continuous basis.
How did you discover the incident?
Like many companies, we have a responsible disclosure program which provides an avenue for ethical security researchers to report vulnerabilities directly to us. The configuration vulnerability was reported to us by an external security researcher through our Responsible Disclosure Program on
When did this occur?
Was the data encrypted and/or tokenized?
We encrypt our data as a standard. Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data.
However, it is also our practice to tokenize select data fields, most notably
Did this vulnerability arise because you operate on the cloud?
This type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data center environments.
The speed with which we were able to diagnose and fix this vulnerability, and determine its impact, was enabled by our cloud operating model.
What are the expected financial impacts of the incident?
We expect the incident to generate incremental costs of approximately
For years we have invested heavily in cybersecurity and we will continue to do so. Beyond the adjusting item in 2019, we expect any incremental investments in cybersecurity to be funded within our current budget.
The Company carries insurance to cover certain costs associated with a cyber risk event. This insurance is subject to a
The Company is affirming its existing efficiency guidance, which in all cases is net of adjustments. The Company expects to achieve modest improvement in 2019 annual operating efficiency ratio compared to the 2018 annual operating efficiency ratio. Relative to 2019, the Company also continues to expect modest improvement in 2020 annual operating efficiency ratio. And the Company continues to expect annual operating efficiency ratio to be 42 percent in 2021. The Company continues to expect that improvements in operating efficiency ratio will also drive significant improvement in annual total efficiency ratio in 2021.
Cautionary Statements Regarding Forward-Looking Statements
This document contains forward-looking statements, which involve a number of risks and uncertainties. All statements that address operating performance, events or developments that we expect or anticipate will occur in the future, including those relating to operating results and the cybersecurity incident we announced on
About Capital One
View original content to download multimedia:http://www.prnewswire.com/news-releases/capital-one-announces-data-security-incident-300892738.html
Investor Relations Contact: United States, Jeff Norris, (703) 720-3171, Jeff.Norris@CapitalOne.com; Danielle Dietz, (703) 720-2463, Danielle.Dietz@CapitalOne.com; Media Contacts: United States, Tatiana Stead, (703) 720-2352, Tatiana.Stead@CapitalOne.com; Sie Soheili, (703) 720-3929, Sie.Soheili@CapitalOne.com; Canada, Suma Boby, (905) 599-1434, Suma.Boby@CapitalOne.com