- Capital One says it discovered the breach on July 19, adding the Social Security numbers of about 140,000 credit card customers were compromised, along with 80,000 bank account numbers.
- The breach also exposed names, addresses, phone numbers and credit scores, among other data.
- "This headline is not good one for Capital One," says RBC Capital Markets analyst Jon Arfstrom. "We worry about longer term reputational damage and also the potential for political and regulatory actions, including penalties."
Capital One Financial shares fell Tuesday, a day after the disclosure of a data breach that impacted about 100 million individuals in the U.S.
The company said Monday night it discovered the breach on July 19, and that the Social Security numbers of about 140,000 credit card customers were compromised along with 80,000 bank account numbers. The breach also exposed names, addresses, phone numbers and credit scores, among other data.
"Based on our analysis to date, this event affected approximately 100 million individuals in the United States," Capital One said, but noted that credit card numbers and log-in credentials were not impacted. Overall, the breach could cost Capital One between $100 million and $150 million in 2019, the bank said.
Capital One shares skidded 5.9%.
"This headline is not good one for Capital One," said RBC Capital Markets analyst Jon Arfstrom said in a note to clients. "We worry about longer term reputational damage and also the potential for political and regulatory actions, including penalties."
New York Attorney General Letitia James said in a statement her office will investigate the breach. Meanwhile, a credit card customer sued Capital One in a proposed class action.
The breach took place nearly two years after consumer credit reporting company Equifax disclosed a breach that compromised the data of more than 140 million people. Since then, Equifax shares are down about half a percent while the S&P 500 has rallied more than 22%.
However, the Equifax attack was carried out by criminals with a nation-state connection while Capital One's data was breached by a single individual.
The FBI arrested Paige A. Thompson of Seattle, accusing her of computer fraud and abuse. The FBI said in court documents Thompson was investigated for "exfiltrating and stealing information, including credit card applications and other documents, from Capital One."
Capital One said the breach was possible because of a "specific configuration vulnerability in our infrastructure." The bank's web services are primarily hosted by Amazon Web Services, which is Thompson's former employer.
Amazon Web Services said in a statement it was not compromised by the breach. Amazon shares slipped 0.5%.
"Given the amount of tech investment and conversation that revolves around tech and innovation and the underlying perception of being ahead of the tech game compared to peers in the business, we are a bit surprised that a single individual could penetrate COF's defenses and gain access to so many accounts," Oppenheimer analyst Dominick Gabriele wrote in a note. "Short term we think this is a bit of a pride blow and could cause a short-term perception problem, but people will eventually move on."
—CNBC's Michael Bloom, Kate Fazzini and Saheli Roy Choudhury contributed to this report.