Banking institution Capital One has just revealed that it’s suffered a data breach that exposed the names, addresses, phone numbers, emails, dates of birth, and self-reported incomes of approximately 100 million Americans, and 6 million in Canada, due to a “configuration vulnerability” in the servers of an unnamed cloud computing company hosting the bank’s data.

(Equifax, hold my beer.)

The hacker is already in custody, according to the US Justice Department: 33-year-old Paige Thompson, aka Erratic, who The Wall Street Journal reports is a former Amazon Web Services engineer.

But according to the complaint, the hacker may have shared some of the info on a private Slack chat server before being caught.

Capital One’s press release claims that only 140,000 US social security numbers, 80,000 bank account numbers and 1 million Canadian social insurance numbers were compromised, which may seem small compared to the 106 million affected individuals in total. But realistically, this seems like a lot:

The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including: Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

That’s a good bit of fodder for potential social engineering and identity theft. They’d know who to bother targeting, and how to begin doing so.

Capital One claims that the “configuration vulnerability” has been fixed, that it believes it “unlikely that the information was used for fraud or disseminated by this individual,” and the company says it’ll offer free credit monitoring and identity theft protection to all.

But it’s quite possible that, like with Equifax, customers will want to sue.

The company is telling investors that it expects the breach will cost it between $100 and $150 million this year.

Here’s a larger FAQ from the company.