This was the largest data beach of a financial institution in history.
The FBI and the bank Capital One disclosed Monday that a data breach of 106 million credit card applications that compromised information like names, addresses, phone numbers, and dates of birth, along with 140,000 Social Security numbers, 80,000 bank account numbers, and some credit scores and transaction data. It’s one of the biggest breaches of a major financial institution in history. Four months after the incident occurred, within just 10 days of Capital One discovering it, the FBI has already made an arrest in connection with the crime.
The bank launched into damage control mode almost immediately, pinning the breach on one “highly sophisticated individual” who penetrated the bank’s defenses, but emphasizing that “no other instances” of the specific “configuration vulnerability” were found. Also, it took a third-party bug-hunter to bring the vulnerability to Capital One’s notice earlier this month, and they still took two days to find the breach.
But there’s a silver lining – “only” about one percent of the multitudes of hacked individuals had their social security numbers and bank accounts compromised – which still adds up to a staggering number given the massive scale of the hack. “Only” 140,000 social security numbers and “only” 80,000 bank account numbers for US customers, plus about 1 million Canadians’ social insurance numbers were compromised.
Other victims had names, addresses, phone numbers, email addresses, birthdates, credit scores, and self-reported incomes stolen – all information supplied by customers and small businesses who applied for Capital One credit cards between 2005 and 2019.
Capital One claimed “tokenized” encrypted data such as social security numbers remained protected during the breach, but did not explain how the unlucky one percent had that information stolen anyway. The bank promised to “incorporate the learnings from this incident to further strengthen [its] cyber defenses.”
Seattle resident Paige A. Thompson, 33, was charged Monday with one count of computer fraud and abuse, according to the FBI and court records. Thompson, the criminal complaint alleges, went by the hacker name “erratic” in many online accounts and forums. She allegedly exploited a misconfigured firewall to access a Capital One cloud repository and exfiltrate data sometime in March. On April 21, the FBI says, Thompson posted the data to her GitHub account, which included her full name and resume. It is unclear whether anyone downloaded the data after she allegedly posted it, but they very well may have given that Thompson allegedly talked openly about stealing the data, even on Slack.
At least one person appears to have stumbled across the trove. On July 17, court documents say, an unidentified tipster informed Capital One of its existence by emailing the bank’s responsible disclosure address with a brief warning about the data, and a link to it on GitHub, Wired reported.
“Capital One quickly alerted law enforcement to the data theft—allowing the FBI to trace the intrusion,” US attorney Brian Moran said in a statement. “I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.”
The criminal complaint against Thompson paints a picture of a less-than-careful suspect.
Thompson posted the information on GitHub, using her full first, middle and last name, the complaint says. She also boasted on social media that she had Capital One information.
In a channel on Slack, a chat service often used by businesses as well as other groups, Thompson explained the method she used to break into Capital One, the Justice Department alleges. She claimed to use a special command to extract files in a Capital One directory stored on Amazon’s servers.
“I wanna get it off my server that’s why Im archiving all of it lol,” Thompson allegedly posted on Slack. One person was alarmed by what Thompson found, writing that the information was “sketchy,” adding, “don’t go to jail plz.”
Thompson made little effort to disguise her identity. She allegedly used the screen name “erratic” on Slack, which was the same handle she used on a Twitter account and a Meetup chatroom page.
The FBI special agent who investigated Thompson believes Thompson tweeted that she wanted to distribute Social Security numbers along with full names and dates of birth.
One person who saw the information on GitHub notified Capital One of the “leaked data” belonging to the company. Capital One notified the FBI, and an agent searched Thompson’s residence on Monday. They found devices in her possession that reference Capital One and Amazon as well as other entities that may have been targets of attempted — or actual — breaches.
The complaint indicates Thompson “recognizes that she has acted illegally.”
Photos: Google images