A massive breach of Capital One customer data has hit more than 100 million people in the U.S. and 6 million in Canada.
Thanks to a cloud misconfiguration, a hacker was able to access to credit applications, Social Security numbers and bank account numbers in one of the biggest data breaches to ever hit a financial services company — putting it in the same league in terms of size as the Equifax incident of 2017.
The FBI has already arrested a suspect in the case: A former engineer at Amazon Web Services (AWS), Paige Thompson, after she boasted about the data theft on GitHub.
According to a criminal complaint filed in the Western District of Washington’s U.S. Attorney’s Office, the intrusion occurred between March 19 and July 17 via a “misconfigured web application firewall.”
The illegally accessed data, which was stored on cloud servers rented from AWS, was primarily related to credit-card applications made between 2005 and early 2019, by both consumers and businesses. These include a raft of personal information, such as names, addresses and dates of birth; and financial information, including self-reported income and credit scores.
According to Capital One, no credit-card account numbers or log-in credentials were compromised and only about 140,000 Social Security numbers are impacted, meaning that “over 99 percent of Social Security numbers” were untouched, the company said. In Canada, about 1 million social insurance numbers were compromised.
Exposed data also included credit scores, credit limits, balances, payment history, contact information and fragments of transaction data from 23 days during 2016, 2017 and 2018.
“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right,” said Capital One CEO Richard Fairbank, in a statement.
The company added it fixed what it called a “configuration vulnerability” and that it is “unlikely that the information was used for fraud or disseminated by this individual” — though investigations are ongoing.
The company has pledged credit monitoring for those impacted, but Colin Bastable, chief executive at anti-phishing firm Lucy Security, said banks like Capital Bank and their employees should be doing more to detect potential phishing attacks in the aftermath of the incident.
“Capital One victims are going to be phished for years to come – long after the 12 months’ credit monitoring is done,” explained Bastable in an email statement. “The Dark Web probably knows more about most people in North America than their governments will publicly admit to. Employers need to protect themselves by ensuring that their employees are security-aware.”
The suspect Thompson, who used the alias “erratic” in online conversations, allegedly posted several times about the theft on GitHub and on social media. One posting on a Twitter account with the username “erratic” read: “I’ve basically strapped myself with a bomb vest, f#cking dropping capital ones dox and admitting it.”
News of the Capital One breach comes after U.S. credit monitoring agency Equifax last week agreed to pay up to $700 million to settle a similar incident that hit the company in 2017, affecting nearly 150 million customers.
Amazon, for its part, pointed to the admission of misconfiguration in the court documents and the Capital One statement, with a spokesman telling Bloomberg that Capital One’s data was not accessed through a vulnerability in AWS systems.
“The Capital One breach is proof that companies have a lot to learn when it comes to deploying security technology effectively,” said James Hadley, CEO at Immersive Labs, via email. “From reading their description of the breach, you would be forgiven for thinking it was an elite hacker exploiting a vulnerability. In reality, as stated by the FBI, it was simply a poorly configured firewall that allowed the hacker in.”
Justin Fier, director of cyber-intelligence at Darktrace, echoed Bastable’s warning and said that nabbing the perpetrator — should she prove guilty — does not guarantee that the data has not already reached the Dark Web. “In the new digital era, data is currency, and when it falls into the wrong hands it can spread like wildfire throughout the criminal community,” Fier added.