Capital One said that personal information of more than 100 million people and small businesses who applied for credit in the U.S., and 6 million in Canada, was breached.
The largest category of information accessed was information on consumers and small businesses who applied for one of Capital One’s credit card products from 2005 through early 2019. Personal information, such as names, addresses and dates of birth; and financial information, including self-reported income and credit scores, were obtained by the hacker.
Capital One Bank found out about the vulnerability in its system July 19th and informed customers on July 29th. This is one of the biggest data breaches ever to hit a financial services company. This breach puts it in the same league in terms of size as the Equifax incident of 2017.
Because of a cloud misconfiguration, the hacker was able to access credit applications, Social Security numbers and bank account numbers.
The FBI has already arrested a suspect in the case; a former engineer at Amazon Web Services (AWS), Paige Thompson, after she boasted about the data theft on GitHub.
According to court documents, Thompson obtained this information by finding the misconfigured firewall on Capital One’s Amazon Web Services (AWS) cloud server. This is something that could have been prevented if Capital One’s IT team had set up their firewall properly.
Amazon said that AWS wasn’t compromised in any way, pointing out that the alleged hacker gained access through a misconfiguration on the cloud server’s application, not through a vulnerability in its infrastructure. A spokesman told Bloomberg that Capital One’s data was not accessed through a vulnerability in AWS systems.
Capital One says that they immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement.
Paige A. Thompson, age 33, is a former software engineer in Seattle. She was a systems engineer and an employee at Amazon Web Services from 2015 to 2016. In a statement, Amazon said that she left the company three years before the hack took place.
The FBI arrested Thompson for the theft, which occurred between March 12th and July 17th. Computer fraud and abuse is punishable by up to five years in prison and a $250,000 fine.
Thompson got information including credit scores and balances plus the Social Security numbers of about 140,000 customers and 80,000 linked bank account numbers of Capital One’s secured credit card customers. Approximately 1 million Social Insurance Numbers of Canadian customers were compromised.
Capital One said “the largest category of information” accessed from applicants who applied for credit cards between 2005 and 2019 was personal information including names, addresses, phone numbers, email addresses, dates of birth and self-reported income.
Other data obtained includes credit scores, limits, balances and “fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.
“I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right,” said Capital One CEO Richard Fairbank, in a statement.
Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual” but committed to investigating the hack fully.
They will offer free credit monitoring services to those affected. They expect that this hack will cost them approximately $100 million to $150 million in 2019.
They’ve set up a consumer website about the breach at www.capitalone.com/facts2019 that you should refer to if you’re worried that your information was compromised.
Arresting the hacker doesn’t mean that the data hasn’t already reached the Dark Web, a secret internet where criminals post and sell stolen data and credentials.
Although Capital One has pledged credit monitoring for those impacted, banks, businesses and their employees should be doing more to detect potential phishing attacks in the aftermath of the incident.
Victims are going to be phished for years to come, even after the 12 months of credit monitoring expires. Employers and employees need to protect themselves by being more security-aware.
If you’re a Capital One customer, you should take steps now by checking your account online, and freezing your credit through each of the three main credit bureaus: Experian, Equifax and TransUnion.
It’s essential to remain vigilant. Businesses should sign up for Dark Web Monitoring to detect whether your confidential business information is there for cybercriminals to use.
Prevention is always the best remedy. Ensure your that your firewall is configured correctly and remotely monitored for network intrusions.
For information about cybersecurity, check out our Tech Articles.