Capital One, the 7th largest U.S. commercial bank and the 5th largest credit card issuer in the United States, has announced it has recently suffered a major data breach that has impacted more than 100 million credit card applicants in the United States and a further 6 million in Canada.
The data breach was discovered on July 19, 2019 after the hacker allegedly responsible for the attack posted information on her Github and social media accounts that tied her to the attack. The accounts were held in the woman’s real name. Capital One was alerted to the posts and notified the FBI.
Seattle software engineer Paige Thompson, 33, was arrested by the FBI in connection with the breach. Her residence was searched, and computer equipment was taken. A storage device found in Thompson’s home contained a copy of the data stolen in the attack.
Thompson had previously been employed as an Amazon Web Services software engineer and had also worked for a Capital One contractor in 2015/6. According to the court documents, Thompson gained access to an AWS cloud server used by Capital One between March 22 and March 23, 2019. Capital One had misconfigured the firewall which allowed the server to be accessed. Thompson downloaded 700 folders of files from the cloud server.
She was charged with computer fraud and abuse in U.S District Court on Monday and has a hearing scheduled on August 1, 2019.
The misconfigured firewall cannot be classed as a data leak as information stored on the cloud server was not freely accessible over the internet. In order to access the data, commands needed to be entered so the incident can be viewed as a hack, albeit not a particularly difficult one.
Based on the date of the intrusion and the information uncovered by the internal and police investigation, Capital One does not believe the stolen data has been disseminated or used for fraud. However, out of an abundance of caution, Capital One is offering affected individuals credit monitoring services.
Capital One has issued a statement confirming customer data was compromised. Credit card numbers and logins were not exposed, but affected customers had their name, date of birth, contact information, credit score, payment history, credit limit, and balance exposed. A subset of 140,000 individuals had their Social Security number exposed and a further 80,000 had bank account information compromised. Out of the 6 million Canadians affected by the breach, 1 million had their Social Insurance number exposed.
New York Attorney General Letitia James has announced that her office has launched an investigation into the breach and others will certainly follow suit. Thompson faces up to 5 years in jail and a fine of up to $250,000 if convicted.