Capital One Financial Corporation on Monday announced a data breach affecting some 100 million people in the United States and another 6 million in Canada. The FBI arrested the alleged perpetrator of the breach in Seattle.
Capital One on July 19 discovered someone had accessed its data stored online and obtained personal information of credit card customers and people who had applied for credit card products.
No credit card account numbers or log-in credentials were compromised in the breach, which is believed to have lasted for nearly five months -- from March 12 to July 17, the company said.
However, the intruder accessed 140,000 Social Security numbers and 80,000 bank account numbers belonging to secured credit cared customers. Secured credit cards are issued to people who have no-credit or low-credit ratings.
Based on its analysis to date, Capital One believes it is unlikely that the information was used in any widespread attacks.
"It appears that the breach was discovered before the alleged hacker had a chance to widely disseminate the information for exploit," said former FBI agent Leo Taddeo, now CISO of Cyxtera Technologies, a secure infrastructure platform provider based in Coral Gables, Florida.
"So, if no additional hackers had access to the same entry point, there is a chance the breach was contained," he told TechNewsWorld.
Affected people will be notified through a variety of channels, the company said, and free credit monitoring and identity protection services will be made available to everyone impacted by the event.
The company expects to incur costs related to the breach of US$100 million to $150 million in 2019.
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," Capital One CEO Richard D. Fairbank said. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
Hacker Captured
While Fairbank was apologizing for the data breach, the FBI was busy arresting Paige A. Thompson, 33, a former Amazon software engineer, for the Capital One breach.
Thompson was identified as the alleged perpetrator after she bragged on GitHub about stealing Capital One's data, according to a criminal complaint filed in federal court in Seattle. GitHub is the largest website in the world for developers.
Thompson said she accessed the data by exploiting a misconfigured firewall set up to protect the data stored in the Amazon Web Services cloud.
A GitHub user who saw Thompson's comments alerted Capital One. Capital One alerted the FBI, which obtained a search warrant for Thompson's residence. There the agents seized electronic storage devices containing a copy of Capital One's data.
Thompson will face charges of computer fraud and abuse, punishable by up to five years in prison and a $250,000 fine.
In this case, Capital One appears to have been lucky.
"This attacker was careless and boastful. Most hackers trying to promote their own skills will get caught," said Satya Gupta, CTO of Virsec, an applications security company in San Jose, California.
"It's more disturbing that the hacker was not noticed by either Capital One or AWS, who employed her. They had no clue until after the fact," he told TechNewsWorld.
"For Capital One, it was fortuitous that the individual who alerted them to the breach seems to have been one of 'the good guys.'" Cyxtera's Taddeo added.
Nevertheless, there still may be cause for concern, noted Arjun Sethi, a partner and vice chair of the digital transformation practice at A.T. Kearney, a global strategy and management consulting firm based in Chicago.
Regarding the vulnerable Web app, "we don't know if that vulnerability was compromised by prior intruders, or if the data exposed in the current attack was left open for others to leverage," he told TechNewsWorld.
0 Comments