Just as Equifax announced a settlement for its massive data breach, Capital One has revealed that someone hacked into its systems earlier this year. According to the company, someone exploited a "configuration vulnerability" that allowed them to access and decrypt customer data affecting over 100 million people in the US, and about 6 million in Canada.
The actual crime occurred on March 22nd and 23rd this year. For about 140,000 people the exposure included Social Security Numbers, and for 80,000 their linked bank account numbers as well. The FBI has already arrested the person believed to be responsible, identified in court documents as Paige Thompson, a software engineer from Seattle who went by the handle "erratic." She apparently worked at an unnamed cloud computing provider (we have a couple of guesses) from 2015 to 2016 that Capital One uses to store its data.
The court complaint explains that she exploited a "misconfigured web application firewall" and posted on Github about it. On July 17th, someone saw the post, alerted Capital One via its disclosure process and two days later it confirmed the theft. The FBI linked her to the theft based on the Github posts under her account, messages sent in a Slack channel, DMs on Twitter, and IP logs showing access to the cloud server from the same VPN service used to post the messages on Github.
The company has decided to focus on the fact that credit card numbers and 99 percent of Social Security numbers weren't stolen, but that still leaves a ton of info that Thompson allegedly obtained without being detected until someone told told them about it.
Capital One said it will notify those who had their data stolen (mostly cardholders and people who had applied for cards between 2005 and early 2019), as well as provide free credit monitoring and identity theft protection. While the FBI and Capital One seem to believe Thompson didn't share the information with anyone or use it for fraud, if it were out there it could be used to impersonate those affected, or to create targeted phishing attacks. Thompson will have a hearing on August 1st, facing a charge of computer fraud and abuse that carries a maximum penalty of five years in jail and a $250,000 fine.
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:
- Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
- Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
- No bank account numbers or Social Security numbers were compromised, other than:
- About 140,000 Social Security numbers of our credit card customers
- About 80,000 linked bank account numbers of our secured credit card customers
- For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.
- We will notify affected individuals through a variety of channels. We will make free credit monitoring and identity protection available to everyone affected.