Millions Compromised in Capital One Breach
This has easily become one of the biggest data breaches ever. 100 million Capital One customers’ accounts and applications for credit cards were accessed by a hacker earlier this week. The accused hacker is Paige Thompson, who was able to break into a Capital One server and acquire 140,000 Social Security numbers, a million Canadian Social Insurance numbers, 80,000 bank account numbers, as well as an undisclosed amount of customers’ names, credit scores, addresses, credit limits, balances, and other personal information. All of this information was released from the bank and the US Department of Justice.
According to a criminal complaint, Thompson attempted to leak the information with other people online. The accused, who is 33 and lives in Seattle, previously worked as a software engineer for Amazon Web Services (AWS). AWS is the cloud hosting company that Capital One deployed. So how did she gain all of this information? A court filing stated that the hacker exploited a misconfigured web application firewall to gain access to all the personal files.
Capital one announced that the hack includes information that dates as far back as 2005. The vulnerability is said to have been fixed and the bank is saying that the leaked information was unlikely distributed or used for fraud. At this time, the company is continuing its investigation and is committed to making things right again.
100 million people in the United States and 6 million people in Canada were affected by this breach. These numbers are massive and it easily is deemed one of the biggest breaches to date. Although the amount of those affected is devastating, the company notes that all accounts and 99% of Social Security numbers were not compromised. For those whose information was violated, Capital One is offering free credit monitoring and identity protection. What is this costing the company? To cover costs related to the hack, customer support with credit monitoring, tech, and legal expenses, Capital One is expecting to incur $100-$150 million. On top of that, its stocks dropped by 5%.
How did this all happen?
In the investigation, it reveals that the suspect was less than careful while she was hacking the financial giant. Using her full name, first middle and last, she posted on GitHub and bragged on social media about her Capital One acquisitions. On Slack, a chatting platform used by groups and businesses, Thompson went into detail on how she hacked into the company. According to reports by the Justice Department, she claimed to have utilized a command to extract files from the company’s cloud service, AWS. On the chat service, she posted how she wanted to get the files off her server and was in the process of archiving everything she retrieved. In addition to using her real name, Thompson also used the same screen name, “erratic”, she uses as her Twitter handle. An FBI agent who was a part of the investigation said Thompson even tweeted about her plans to distribute Social Security numbers and other information. At the end of the day, Thompson recognizes her activity as illegal.
Moving forward, this is just another instance that highlights how cybersecurity is at risk and should be a priority among consumers. Be wary of scammers, whether they contact you through phone or email. Staying vigilant on how your personal data is collected and monitored will help mitigate threats.