Capital One hack exposes data of 100M+ customer accounts
A Seattle woman has been arrested and charged with hacking into Capital One and gaining access to over 100 million customer accounts at the U.S. bank.
Paige Thompson allegedly obtained 140,000 Social Security numbers, one million Canadian Social Insurance Numbers, and 80,000 bank account numbers all stored unencrypted, CNN reported, citing Capital One and court filings by the U.S. Department of Justice. General information stolen included names, addresses, balances, credit scores, and more, though no logins or credit card numbers.
Thompson previously worked as a software engineer for Amazon Web Services, Capital One's hosting partner. For the break in, which took place on March 22 and March 23, she supposedly exploited settings in a Web app firewall with the intention of sharing the data elsewhere.
In all roughly 100 million Americans were impacted by the hack, plus 6 million Canadians. Capital One is notifying victims and offering them free credit monitoring and identity protection -- the bank expects to sink between $100 million and $150 million on those costs as well as tech and legal issues.
Thompson was caught because she posted the information on GitHub using her full name, and even bragged about her heist on Slack and social media, the DOJ said.
"I wanna get it off my server that's why Im [sic] archiving all of it lol," she wrote on Slack.
On Slack, she used the nickname "erratic," the same as her identities on Twitter and Meetup. Her Twitter posting is said to have included claims she wanted to reveal names, birthdays, and Social Security numbers.
The GitHub trove was spotted by someone who notified Capital One, which in turn passed the info along to the FBI. A search of Thompson's home found devices with references to Amazon and Capital One, along with other entities that may or may not have been hacked. Thompson "recognizes that she has acted illegally," according to the DOJ.
Data breaches at major corporations have become almost a semi-regular occurrence, difficult to avoid because of the sheer number of criminal and state actors and the frequent discovery of new vulnerabilities. Such incidents can be costly if not disclosed -- Equifax recently agreed to pay upwards of $700 million to settle probes of a breach that exposed 140 million Americans.
Apple has remained relatively immune, though an Israeli firm recently said it could break iCloud's security by installing malware on a target iPhone.
Paige Thompson allegedly obtained 140,000 Social Security numbers, one million Canadian Social Insurance Numbers, and 80,000 bank account numbers all stored unencrypted, CNN reported, citing Capital One and court filings by the U.S. Department of Justice. General information stolen included names, addresses, balances, credit scores, and more, though no logins or credit card numbers.
Thompson previously worked as a software engineer for Amazon Web Services, Capital One's hosting partner. For the break in, which took place on March 22 and March 23, she supposedly exploited settings in a Web app firewall with the intention of sharing the data elsewhere.
In all roughly 100 million Americans were impacted by the hack, plus 6 million Canadians. Capital One is notifying victims and offering them free credit monitoring and identity protection -- the bank expects to sink between $100 million and $150 million on those costs as well as tech and legal issues.
Thompson was caught because she posted the information on GitHub using her full name, and even bragged about her heist on Slack and social media, the DOJ said.
"I wanna get it off my server that's why Im [sic] archiving all of it lol," she wrote on Slack.
On Slack, she used the nickname "erratic," the same as her identities on Twitter and Meetup. Her Twitter posting is said to have included claims she wanted to reveal names, birthdays, and Social Security numbers.
The GitHub trove was spotted by someone who notified Capital One, which in turn passed the info along to the FBI. A search of Thompson's home found devices with references to Amazon and Capital One, along with other entities that may or may not have been hacked. Thompson "recognizes that she has acted illegally," according to the DOJ.
Data breaches at major corporations have become almost a semi-regular occurrence, difficult to avoid because of the sheer number of criminal and state actors and the frequent discovery of new vulnerabilities. Such incidents can be costly if not disclosed -- Equifax recently agreed to pay upwards of $700 million to settle probes of a breach that exposed 140 million Americans.
Apple has remained relatively immune, though an Israeli firm recently said it could break iCloud's security by installing malware on a target iPhone.
Comments
Paige Thompson.
Increasingly we are encouraged by financial houses to tie our back accounts into their systems -- and it does provide tons of convenience.
But, what happens when that financial institution gets hacked?
1) Your bank account is wide open
2) The hacked institution never, ever informs you immediately -- often it is months later while your bank account info is floating around the dark web..
The same with things like insurance companies who want to pull money out of your account each month via ACH. Two things wrong with that:
2) When they get hacked, your bank account is opened up to the hackers and the dark web.
I do two things:
1) Avoid giving anybody my bank account info.
2) If somebody wants paid monthly (like the gas company) I simply instruct my bank to send them a check for a certain amount each month. Not only is that safer (They never see my bank account info) but it saves me from buying checks and stamps. Or, preferably, I let them take it from my credit card.
This part of the story isn't getting enough attention.
Basically, most of these corporations need to be compromised publicly before they put out the effort (ie spend the money) to protect their customers’ data.
And people keep saying regulation is bad...
Im glad that ive always ignored all of them and never signed up.
I no longer work there, nor anywhere that uses cloud databases. Perhaps these days encryption is deployed for all columns, but it hasn’t always been.
Women in STEM
For myself I choose to avoid that risk where possible.
1) Knowing that any institution accumulating people's private financial information is a target. And, that any target can be hacked, I simply avoid putting my information there.
2) As for individual checks: I find it far easier and cheaper to tell my bank to send $85 to my gas company on the first of each month. And, as a bonus, nobody at that company ever gets to see my checking account number. (And, it's not just a win for me, but for the bank and the company because neither have to handle the check which saves them money)
For me, it's kind of like avoiding putting a lot of personal information (like "I'm on vacation this week!") out on social media. It probably won't make any difference -- but why tempt fate if you don't have to?