Capital One becomes latest bank affected by cyberattack on debt-buying giant

Capital One is the latest financial institution to reveal that it was affected by a cyberattack on NCB Management Services, a company that purchases debt.

The initial response to the incident focused on former customers of Bank of America, but in new letters filed with regulators in several states, Capital One confirmed that its customers were involved.

Pennsylvania-based NCB initially sent out breach notification letters in March after discovering the attack on February 4, writing that 494,969 people had troves of sensitive financial information leaked.

Capital One, one of the largest in the U.S., said more than 16,500 people had information like their physical address, Social Security number, account number and account status leaked during the attack on NCB.

“In April 2023, following a thorough investigation, NCB informed Capital One that some of the information accessed by the unauthorized third party related to a set of credit card accounts that Capital One currently or previously owned,” Capital One said in letters to victims.

“As stated in that notice, NCB has secured the services of Kroll to provide two years of free identity monitoring services, which includes credit monitoring, $1 million identity fraud loss reimbursement, fraud consultation, and identity theft restoration,” the bank said.

Capital One filed the documents with regulators in Maine and Texas. Capital One and NCB did not respond to requests for comment.

Sources who spoke on condition of anonymity said NCB had long ignored internal concerns about cybersecurity before allegedly being attacked by a ransomware group.

After the March notices, NCB filed more breach notification letters in May with regulators in Maine, Montana, Vermont, Oregon, Texas, Massachusetts and California. In the letters, the company says it “has obtained assurances that the unauthorized third party no longer has access to any of NCB’s data” – comments typically made when companies pay a ransom to their attackers.

The company has not responded to requests for comment and no ransomware group has publicly taken credit for attacking the company.

The company said that on top of the nearly 500,000 victims from March, more than 1 million more people were affected by the cyberattack on their systems. The data accessed included financial account numbers, credit card numbers, debit card numbers, security codes, passwords and PINs.

Not every breach notification letter explained what company had sold the data to NCB.

IBank of America, Capital One, Pathward National Association and Exeter Finance are only some of the companies NCB has officially said had information in its systems that was accessed.

The source who spoke on condition of anonymity said NCB provides a range of services to some of the country’s biggest banks and car companies — many of which either hire NCB to track down those who owe money or sell the debt to NCB.

They said NCB purchased more than 1 million accounts from “several big name lenders.” The company has about 375 employees and brings in nearly $50 million in annual revenue.

A consumer rights law firm is already investigating claims on behalf of individuals whose past due accounts with Bank of America were sold to NCB Management Services.

The law firm Sauder Schelkopf told Recorded Future News that it has filed a class action lawsuit against the company on behalf of the victims who had their Bank of America credit card account information accessed.

"Our client is one of nearly half a million people who reportedly received notice that their highly sensitive information was compromised by this data breach. We look forward to seeking the appropriate relief on behalf of these individuals," said Mark DeSanto of Sauder Schelkopf.