Capital One Data Breach

Published: 11/21/2025

The Capital One Data Breach was one of the largest and most alarming cybersecurity incidents in recent history. Targeting the financial giant, this breach compromised sensitive customer data, exposing millions to potential fraud and identity theft. Discovered in July 2019, it highlighted serious vulnerabilities in cloud security and underscored the critical need for robust cybersecurity measures.

Capital One Data Breach explained: what happened?

The Capital One Data Breach was discovered on July 19, 2019, and publicly disclosed on July 29, 2019. A misconfigured cloud storage bucket allowed an unauthorized individual to access personal data tied to 106 million credit card applicants in the U.S. and Canada. This incident showcased the dangers of cloud misconfigurations and raised questions about data protection in modern infrastructures.

When did the Capital One Data Breach happen?

The breach reportedly occurred between March 22 and 23, 2019, although Capital One only discovered it on July 19, 2019, following a tip-off from an ethical hacker.

Who hacked Capital One?

The attacker behind the Capital One data breach was Paige Thompson, a former software engineer for Amazon Web Services (AWS). Thompson exploited her knowledge of cloud infrastructure to locate and access Capital One’s misconfigured cloud storage bucket.

How did the Capital One Breach happen?

The breach stemmed from a misconfigured web application firewall (WAF) within Capital One's AWS infrastructure. This vulnerability enabled the attacker to send server-side request forgery (SSRF) commands to access restricted information.

Capital One Data Breach Timeline

March 22–23, 2019 – Unauthorized access occurred.
July 19, 2019 – Capital One was notified of the breach.
July 29, 2019 – Public disclosure of the incident.
August 2019 – Paige Thompson was arrested by the FBI.

Technical details

The attacker exploited SSRF vulnerabilities that allowed access to API credentials stored in the cloud. These credentials were then leveraged to copy data from Capital One’s storage.

Indicators of Compromise (IoCs)

IP addresses associated with suspicious activity.
Domains used for data exfiltration scripts.
AWS logs showing unauthorized access attempts.

Forensic and incident investigation

Capital One partnered with cybersecurity experts and law enforcement to investigate the breach. The company identified the technical loopholes and implemented controls to prevent recurrence, including closing the exploited vulnerability.

What data was compromised in the Capital One Breach?

The breach exposed the following types of data:

Personal identification information (PII) such as names, addresses, and dates of birth.
Credit scores, limits, and balances for applicants.
Approximately 140,000 Social Security numbers and 80,000 linked bank account numbers for U.S. customers.
Canadian Social Insurance Numbers (SINs) for nearly one million customers.

How many people were affected by the Capital One Data Breach?

Approximately 100 million individuals in the United States and 6 million in Canada had their data exposed. Capital One has not disclosed the total number of unique individuals impacted.

Was my data exposed in the Capital One Breach?

Capital One provided resources, including an online tool and customer support hotline, to help individuals determine if their information was affected. Impacted individuals were also notified directly.

Key impacts of the Capital One Breach

The fallout from the Capital One breach included:

Financial losses of nearly $300 million, including litigation and settlement fees.
Reputational damage, leading to eroded consumer trust.
Regulatory fines, including an $80 million penalty from the Office of the Comptroller of the Currency (OCC).

Response to the Capital One Data Breach

Capital One acted swiftly to contain the damage by securing its systems and cooperating with the FBI. It also implemented additional monitoring, auditing processes, and employee training.

Lessons from the Capital One Data Breach

Here are some key takeaways:

Regularly assess and secure cloud configurations.
Implement robust logging and monitoring solutions to detect suspicious activity early.
Train teams on mitigating vulnerabilities like SSRF.
Encrypt sensitive data at all stages.

Is Capital One safe after the Breach?

Capital One has taken extensive measures to enhance security, including expanded use of encryption, automated compliance audits, and updated WAF configurations. While no system is entirely invulnerable, these efforts have significantly reduced risks.

Mitigation & prevention strategies

To avoid breaches like this, organizations should:

Employ multi-factor authentication (MFA) across all systems.
Regularly audit and secure cloud environments.
Leveragesecurity information and event management tools (SIEM) for visibility.
Respond quickly to warnings from ethical hackers or third parties.

Related Data Breach incidents

FAQs

The breach occurred due to a misconfigured web application firewall (WAF), which enabled the attacker to exploit a vulnerability (SSRF) and gain unauthorized access to sensitive data.

Exposed data included names, addresses, credit details, Social Security numbers, and bank account information for millions of customers.

Paige Thompson, a former AWS engineer, carried out the attack and was arrested by the FBI shortly after the breach was disclosed.

Organizations should secure cloud environments, implement MFA, encrypt sensitive data, monitor configurations, and conduct regular security audits.

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.

Try Huntress for Free