Capital One Falls Victim to One of the Largest Data Breaches Ever
Earlier this year Capital One fell victim to one of the largest data breaches ever, wherein more than 100 million customers’ accounts and credit card applications were compromised. The attack occurred on March 22 and 23, and credit card applications as far back as 2005 were compromised.
According to the Department of Justice and Capital One, the culprit broke into a Capital One server and gained access to 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 bank account numbers. The culprit also additionally seized an undisclosed number of people’s names, addresses, credit scores, credit limits, balances, and other information.
Paige Thompson, who resides in Seattle, is accused of the crimes. The 33-year-old had previously been employed as a software engineer for Amazon Web Services, a cloud hosting company utilized by Capital One. According to a court filing, she was able to gain access to the sensitive information by exploiting a misconfigured web application firewall.
Thompson displayed no characteristics of a seasoned criminal, most glaringly indicated by the fact she posted the information on GitHub using her full first, middle, and last name, according to court filings. She also reportedly boasted on social media about the attack. Additionally, Thompson used the chat service known as Slack to explain the method she used to break into Capital One. Her Slack screen name, “erratic,” was the same handle she used on Twitter as well as a Meetup chatroom.
Thompson’s identity was ultimately brought to light by a Good Samaritan who saw the information on GitHub and brought it to Capital One’s attention. Capital One notified the FBI and a search was conducted the following Monday. Devices were found in her possession that referenced Capital One, as well as other entities that may have been targets of attempted, or actual, breaches.
Capital One indicated it has since fixed the vulnerability that allowed the breach and said it is “unlikely that the information was used for fraud or disseminated by this individual.” They also said, despite the massive extent of the breach, “no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised.”
The company expects to incur between $100-150 million in costs related to the attack. Capital One represents yet another reason why companies need to closely monitor the practices of companies they retain close business ties with.