Capital One data breach involves 100 million credit card applications

Capital One was hacked.

SOPA Images

Capital One announced on Monday that data from more than 100 million US citizens and 6 million Canadian residents had been stolen by a hacker. 

If you applied for a credit card from the major US bank between 2005 through 2019, your is likely caught in this breach, Capital One said in a statement released on Monday. That data includes about 140,000 Social Security numbers about 80,000 bank account numbers, according to Capital One. The hacker also stole about 1 million social insurance numbers in the breach, the company said.

The company went on to add that “no credit card account numbers or log-in credentials were compromised,” and that more than 99 percent of the Social Security numbers that Capital One has was not affected. But the breach also included names, addresses, zip codes, phone numbers, email addresses and birthdates — all valuable assets that hackers can use to steal from victims. 

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Chairman and CEO of Capital One. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

The FBI arrested a 33-year-old tech worker named Paige A. Thompson, who goes by the name “erratic,” according to court documents. Prosecutors charged Thompson with computer fraud and abuse, alleging that she was behind the major hack. 

“Capital One quickly alerted law enforcement to the data theft — allowing the FBI to trace the intrusion,” US Attorney Brian T. Moran said in a statement. 

According to court documents, Thompson allegedly stole the information by finding a misconfigured firewall on Capital One’s Amazon Web Services cloud server. Investigators accused Thompson of accessing that server from March 12 to July 17. There were more than 700 folders of data stored on that server, according to the Justice Department. 

Thompson allegedly posted details about the hack on a GitHub page in April, as well as talking about the attack on Twitter and Slack discussions, according to the FBI. 

Court documents showed that Capital One did not learn about the hack until July 17, when someone sent a message to the company’s responsible disclosure email address with a link to the GitHub page. The page had been up since April 21, with the IP address for a specific server containing the company’s sensitive data. 

The GitHub page had Thompson’s full name, as well as another page containing her resume. Court documents showed that on the resume, Thompson was listed as a systems engineer and a former employee at Amazon Web Services from 2015 to 2016. 

The FBI also found Twitter message logs where Thompson allegedly wrote, “I’ve basically strapped myself with a bomb vest, fucking dropping capitol ones dox and admitting it,” noting that she wanted to distribute the data she stole.

In a statement, Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual” but committed to investigating the hack fully. Capital One expects this hack will cost the company “approximately $100 to $150 million in 2019.”

The FBI seized Thompson’s devices on Monday after obtaining a search warrant, and arrested the 33-year-old. If found guilty, Thompson faces up to five years in prison and a $250,000 fine. 

This incident comes in the wake of news Equifax may have to pay up to $700 million over a 2017 data breach. That breach involved the Social Security numbers and home addresses of nearly 148 million Americans from Equifax’s servers in a hack that ran from May to July in 2017.

Like Equifax, Capital One said that it would be providing free credit monitoring and identity protection to everyone involved. 

Update, July 29, 6.03pm PT: Adds statement and additional details from Capital One.
Update: 6:46 a.m. PT: Adds details from the FBI’s criminal complaint. 

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button