On July 29, 2019, Capital One reported that their customers’ confidential information was compromised. This includes the Social Security and bank account numbers of more than 100 million people and small businesses in the U.S., along with 6 million in Canada.
The McLean, Virginia-based bank discovered the vulnerability in its system July 19 and immediately sought help from law enforcement to catch the perpetrator. They waited until July 29 to inform customers.
How Did The Hacker Get Into Capital One’s System?
According to court documents in the Capital One case, the hacker obtained this information by finding a misconfigured firewall on Capital One’s Amazon Web Services (AWS) cloud server.
Amazon said that AWS wasn’t compromised in any way. They say that the hacker gained access through a misconfiguration on the cloud server’s application, not through a vulnerability in its infrastructure.
Capital One says that they immediately fixed the configuration vulnerability that the individual exploited and promptly began working with federal law enforcement.
Who Breached Capital One’s Data?
Paige A. Thompson, a former software engineer in Seattle, is accused of stealing data from Capital One credit card applications.
Thompson was a systems engineer and an employee at Amazon Web Services from 2015 to 2016. In a statement, Amazon said that she left the company three years before the hack took place.
The FBI arrested Thompson on Monday, July 29 for the theft, which occurred between March 12 and July 17. Thompson made her initial appearance in U.S. District Court in Seattle and has been detained pending an August 1 hearing. Computer fraud and abuse are punishable by up to five years in prison and a $250,000 fine.
What Information Was Compromised?
Thompson stole information including credit scores and balances plus the Social Security numbers of about 140,000 customers and 80,000 linked bank account numbers of their secured credit card customers. For Capital One’s Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised.
The largest category of information obtained was that of consumers and small businesses when they applied for one of Capital One’s credit card products from 2005 through early 2019.
Capital One said, some of this information included names, addresses, phone numbers, email addresses, dates of birth and self-reported income.
Other data obtained included credit scores, limits, balances and transaction data from a total of 23 days during 2016, 2017 and 2018.
This is one of the top 10 largest data breaches ever, according to USA TODAY research.
What Is Capital One Saying About The Breach?
They will offer free credit monitoring services to those affected. Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual” but committed to investigating the hack fully.
They’ve set up a consumer website about the breach at www.capitalone.com/facts2019 that you should refer to if you’re worried that your information was compromised.
Capital One expects that this hack will cost them approximately $100 million to $150 million in 2019.
What Should Capital One Customers Do?
If you’re a Capital One customer, you should check your account online. You should also freeze your credit through each of the three main credit bureaus: Experian, Equifax and TransUnion.
It’s important to remain vigilant. Businesses should sign up for Dark Web Scanning to detect whether your confidential business information is there for cybercriminals to use.
Prevention is always the best remedy. Ask your IT provider to ensure your that your firewall is properly configured and to continuously remotely monitor your network for intrusions.
Performance-driven professional with 20+ year record of demonstrated success driving significant growth in sales and revenue for products and services. Identify market needs and implement innovative strategies to capture new business. Engaging and articulate presenter with a talent for delivering winning product and sales presentations to a diverse client base.