Capital One hack exposes data of 100M+ customer accounts

Posted:
in General Discussion
A Seattle woman has been arrested and charged with hacking into Capital One and gaining access to over 100 million customer accounts at the U.S. bank.

Capital One offices


Paige Thompson allegedly obtained 140,000 Social Security numbers, one million Canadian Social Insurance Numbers, and 80,000 bank account numbers all stored unencrypted, CNN reported, citing Capital One and court filings by the U.S. Department of Justice. General information stolen included names, addresses, balances, credit scores, and more, though no logins or credit card numbers.

Thompson previously worked as a software engineer for Amazon Web Services, Capital One's hosting partner. For the break in, which took place on March 22 and March 23, she supposedly exploited settings in a Web app firewall with the intention of sharing the data elsewhere.

In all roughly 100 million Americans were impacted by the hack, plus 6 million Canadians. Capital One is notifying victims and offering them free credit monitoring and identity protection -- the bank expects to sink between $100 million and $150 million on those costs as well as tech and legal issues.

Thompson was caught because she posted the information on GitHub using her full name, and even bragged about her heist on Slack and social media, the DOJ said.

"I wanna get it off my server that's why Im [sic] archiving all of it lol," she wrote on Slack.

On Slack, she used the nickname "erratic," the same as her identities on Twitter and Meetup. Her Twitter posting is said to have included claims she wanted to reveal names, birthdays, and Social Security numbers.

The GitHub trove was spotted by someone who notified Capital One, which in turn passed the info along to the FBI. A search of Thompson's home found devices with references to Amazon and Capital One, along with other entities that may or may not have been hacked. Thompson "recognizes that she has acted illegally," according to the DOJ.

Data breaches at major corporations have become almost a semi-regular occurrence, difficult to avoid because of the sheer number of criminal and state actors and the frequent discovery of new vulnerabilities. Such incidents can be costly if not disclosed -- Equifax recently agreed to pay upwards of $700 million to settle probes of a breach that exposed 140 million Americans.

Apple has remained relatively immune, though an Israeli firm recently said it could break iCloud's security by installing malware on a target iPhone.
«1

Comments

  • Reply 1 of 23
    SoliSoli Posts: 10,035member
    Thompson was caught because she posted the information on GitHub using her full name, and even bragged about her heist on Slack and social media, the DOJ said. 
    Why are criminals so stupid?
    cornchipjahbladewatto_cobrajony0
  • Reply 2 of 23
    SoliSoli Posts: 10,035member
    I can both believe and can't believe that Capital One was storing this sensitive information unencrypted.
    edited July 2019 cornchipdysamoriawatto_cobrajony0
  • Reply 3 of 23
    cornchipcornchip Posts: 1,945member
    I bet the peeps that are charged with Apple Corporate Digital Security are paid fantastic sums of money.
    watto_cobra
  • Reply 4 of 23
    SoliSoli Posts: 10,035member
    We finally have an answer to Capital One's "What's in your wallet?" slogan…

    Paige Thompson.
    edited July 2019 MacPropscooter63watto_cobraviclauyycLordeHawkjony0
  • Reply 5 of 23
    auxioauxio Posts: 2,717member
    Soli said:
    We finally have an answer to Capital One's "What's in your wallet" slogan…

    Paige Thompson.
    Their new slogan should be: "Who's in your wallet?"
    MacPropscooter63StrangeDaysapplesnorangeswatto_cobracgWerksjony0
  • Reply 6 of 23
    GeorgeBMacGeorgeBMac Posts: 11,421member
    Also stolen were the links to external bank accounts.
    Increasingly we are encouraged by financial houses to tie our back accounts into their systems -- and it does provide tons of convenience.

    But, what happens when that financial institution gets hacked?
    1)  Your bank account is wide open
    2)  The hacked institution never, ever informs you immediately -- often it is months later while your bank account info is floating around the dark web..

    The same with things like insurance companies who want to pull money out of your account each month via ACH.   Two things wrong with that:
    1)  When you decide to stop it, the onus is on you to figure out how to maneuver their system to stop it and possibly recover excess money they've withdrawn from your account.   Utility companies are great for that.
    2)  When they get hacked, your bank account is opened up to the hackers and the dark web.

    I do two things:
    1)  Avoid giving anybody my bank account info.
    2)  If somebody wants paid monthly (like the gas company) I simply instruct my bank to send them a check for a certain amount each month.  Not only is that safer (They never see my bank account info) but it saves me from buying checks and stamps.  Or, preferably, I let them take it from my credit card.
    FileMakerFeller
  • Reply 7 of 23
    "Thompson previously worked as a software engineer for Amazon Web Services, Capital One's hosting partner. For the break in, which took place on March 22 and March 23, she supposedly exploited settings in a Web app firewall with the intention of sharing the data elsewhere."

    This part of the story isn't getting enough attention.  
    pscooter63SpamSandwichwatto_cobracgWerksjony0
  • Reply 8 of 23
    rob53rob53 Posts: 3,241member
    "Thompson previously worked as a software engineer for Amazon Web Services, Capital One's hosting partner. For the break in, which took place on March 22 and March 23, she supposedly exploited settings in a Web app firewall with the intention of sharing the data elsewhere."

    This part of the story isn't getting enough attention.  
    Nor is the fact they were hosted on AWS. Isn’t Amazon complicit in failing to protect (encrypt) the data? Why wouldn’t all data on AWS be encrypted? Now the NSA and FBI know where to go to get all the data they need. 
    pscooter63watto_cobrajony0
  • Reply 9 of 23
    eightzeroeightzero Posts: 3,056member
    Also stolen were the links to external bank accounts.
    Increasingly we are encouraged by financial houses to tie our back accounts into their systems -- and it does provide tons of convenience.

    But, what happens when that financial institution gets hacked?
    1)  Your bank account is wide open
    2)  The hacked institution never, ever informs you immediately -- often it is months later while your bank account info is floating around the dark web..

    The same with things like insurance companies who want to pull money out of your account each month via ACH.   Two things wrong with that:
    1)  When you decide to stop it, the onus is on you to figure out how to maneuver their system to stop it and possibly recover excess money they've withdrawn from your account.   Utility companies are great for that.
    2)  When they get hacked, your bank account is opened up to the hackers and the dark web.

    I do two things:
    1)  Avoid giving anybody my bank account info.
    2)  If somebody wants paid monthly (like the gas company) I simply instruct my bank to send them a check for a certain amount each month.  Not only is that safer (They never see my bank account info) but it saves me from buying checks and stamps.  Or, preferably, I let them take it from my credit card.
    Query: when I write a check to someone, that check has on its face the ACH and account number. IOW, all the information needed to access that account. While putting this information in digital form makes it far easier to access this in great numbers and from any location, it would seem there are already things in place to protect a diligent account holder (eg the agreement with the bank regarding liability of the account holder.) Pain in the ass to correct? Yes. Disaster because it means you can be cleaned out? Maybe not. 
    1STnTENDERBITSStrangeDays
  • Reply 10 of 23
    dysamoriadysamoria Posts: 3,430member
    Unencrypted.

    Basically, most of these corporations need to be compromised publicly before they put out the effort (ie spend the money) to protect their customers’ data.

    And people keep saying regulation is bad...
    edited July 2019 SoliMacProGeorgeBMacwatto_cobra
  • Reply 11 of 23
    apple ][apple ][ Posts: 9,233member
    Ive been getting letters from capital one for years now, asking me to sign up for one of their cards.

    Im glad that ive always ignored all of them and never signed up.
    GeorgeBMacwatto_cobra
  • Reply 12 of 23
    MacProMacPro Posts: 19,718member
    apple ][ said:
    Ive been getting letters from capital one for years now, asking me to sign up for one of their cards.

    Im glad that ive always ignored all of them and never signed up.
    I just got one (just before this news broke) as they had a 60,000 fly miles promotion if you spend $3,000 in three months.  It seemed a good idea even if I never use it again and cancel after a year so as not to be ever charges an annual fee.  However, after the immediate acceptance, I did notice continual nagging to fill in my bank details so as to enable bill paying.  I didn't want that and skipped that part.  In hindsight, I am bloody glad I did.  
    watto_cobra
  • Reply 13 of 23
    StrangeDaysStrangeDays Posts: 12,834member
    Soli said:
    I can both believe and can't believe that Capital One was storing this sensitive information unencrypted.
    Years back I used to consult for a few different departments of Cap One, from public-facing groups like auto finance to commercial loan document processing. At that time we didn’t use third-party cloud storage. Account numbers were not encrypted, the security of prod data was protected by database logins with limited access (ex: credit application app logins could perform inserts only, etc), and of course firewalls. She got thru their firewalls, she must have stolen database admin credentials somewhere too. 

    I no longer work there, nor anywhere that uses cloud databases. Perhaps these days encryption is deployed for all columns, but it hasn’t always been. 
    watto_cobraviclauyyc
  • Reply 14 of 23
    kestralkestral Posts: 308member
    A Seattle woman has been arrested and charged with hacking into Capital One and gaining access to over 100 million customer accounts at the U.S. bank.

    Women in STEM 
    :D 
    watto_cobraSpamSandwichFileMakerFeller
  • Reply 15 of 23
    GeorgeBMacGeorgeBMac Posts: 11,421member
    eightzero said:
    Also stolen were the links to external bank accounts.
    Increasingly we are encouraged by financial houses to tie our back accounts into their systems -- and it does provide tons of convenience.

    But, what happens when that financial institution gets hacked?
    1)  Your bank account is wide open
    2)  The hacked institution never, ever informs you immediately -- often it is months later while your bank account info is floating around the dark web..

    The same with things like insurance companies who want to pull money out of your account each month via ACH.   Two things wrong with that:
    1)  When you decide to stop it, the onus is on you to figure out how to maneuver their system to stop it and possibly recover excess money they've withdrawn from your account.   Utility companies are great for that.
    2)  When they get hacked, your bank account is opened up to the hackers and the dark web.

    I do two things:
    1)  Avoid giving anybody my bank account info.
    2)  If somebody wants paid monthly (like the gas company) I simply instruct my bank to send them a check for a certain amount each month.  Not only is that safer (They never see my bank account info) but it saves me from buying checks and stamps.  Or, preferably, I let them take it from my credit card.
    Query: when I write a check to someone, that check has on its face the ACH and account number. IOW, all the information needed to access that account. While putting this information in digital form makes it far easier to access this in great numbers and from any location, it would seem there are already things in place to protect a diligent account holder (eg the agreement with the bank regarding liability of the account holder.) Pain in the ass to correct? Yes. Disaster because it means you can be cleaned out? Maybe not. 
    I agree that bank fraud using somebody's account information has historically been low -- probably because it has been stringently prosecuted and punished.   And, yes, your account information is on the checks you write -- so, on an individual transaction basis, you are exposing your information.   I do not argue with any of that.

    For myself I choose to avoid that risk where possible.
    1)   Knowing that any institution accumulating people's private financial information is a target.  And, that any target can be hacked, I simply avoid putting my information there.
    2)  As for individual checks:   I find it far easier and cheaper to tell my bank to send $85 to my gas company on the first of each month.  And, as a bonus, nobody at that company ever gets to see my checking account number.   (And, it's not just a win for me, but for the bank and the company because neither have to handle the check which saves them money)

    For me, it's kind of like avoiding putting a lot of personal information (like "I'm on vacation this week!") out on social media.   It probably won't make any difference -- but why tempt fate if you don't have to?
  • Reply 16 of 23
    GeorgeBMacGeorgeBMac Posts: 11,421member
    dysamoria said:
    Unencrypted.

    Basically, most of these corporations need to be compromised publicly before they put out the effort (ie spend the money) to protect their customers’ data.

    And people keep saying regulation is bad...
    Yeh, like the banksters, for them, any cost is simply a cost of doing business -- partly because the company that got hacked suffers relatively limited, minor damage.   It's us, their customers, whose data was stolen and are at risk for ID theft and fraud.
    viclauyyccgWerks
  • Reply 17 of 23
    SpamSandwichSpamSandwich Posts: 33,407member
    rob53 said:
    "Thompson previously worked as a software engineer for Amazon Web Services, Capital One's hosting partner. For the break in, which took place on March 22 and March 23, she supposedly exploited settings in a Web app firewall with the intention of sharing the data elsewhere."

    This part of the story isn't getting enough attention.  
    Nor is the fact they were hosted on AWS. Isn’t Amazon complicit in failing to protect (encrypt) the data? Why wouldn’t all data on AWS be encrypted? Now the NSA and FBI know where to go to get all the data they need. 
    Sounds to me like she either exploited a known weakness or engineered the weakness before she left.
  • Reply 18 of 23
    Thanks, Capital One. Every single month when I log on to pay my bill, they force me to jump through hoops with their pain in the neck mandatory two-factor authentication. All the while, the back end was wide open.
    cgWerksFileMakerFeller
  • Reply 19 of 23
    SpamSandwichSpamSandwich Posts: 33,407member
    kestral said:
    A Seattle woman has been arrested and charged with hacking into Capital One and gaining access to over 100 million customer accounts at the U.S. bank.

    Women in STEM  :D 
    “Women can do anything a man can do, only better.”
    FileMakerFeller
  • Reply 20 of 23
    netroxnetrox Posts: 1,415member
    rob53 said:
    "Thompson previously worked as a software engineer for Amazon Web Services, Capital One's hosting partner. For the break in, which took place on March 22 and March 23, she supposedly exploited settings in a Web app firewall with the intention of sharing the data elsewhere."

    This part of the story isn't getting enough attention.  
    Nor is the fact they were hosted on AWS. Isn’t Amazon complicit in failing to protect (encrypt) the data? Why wouldn’t all data on AWS be encrypted? Now the NSA and FBI know where to go to get all the data they need. 
    Um... no. You cannot make a company responsible for the theft committed by its customer.
Sign In or Register to comment.