Capital One Reports Data Breach Affecting 100 Million Customers, Applicants (#GotBitcoin?)
Alleged hacker, a former employee of Amazon Web Services, arrested by federal agents in Seattle. Capital One Reports Data Breach Affecting 100 Million Customers, Applicants (#GotBitcoin?)
Capital One Financial Corp. , the fifth-largest U.S. credit-card issuer, said Monday that a hacker accessed the personal information of approximately 106 million card customers and applicants, one of the largest-ever data breaches of a large bank.
Paige A. Thompson, 33 years old, was arrested in connection with the hack Monday by federal agents in Seattle, officials said. Ms. Thompson is accused of breaking through a Capital One firewall to access customer data that the bank had stored on Amazon.com Inc. ’s cloud service, according to a federal criminal complaint and people familiar with the matter.
The bulk of the exposed data involves information submitted by customers and small businesses that applied for Capital One credit cards between 2005 and early 2019, the bank said, including addresses, dates of birth and self-reported income.
Ms. Thompson is a former employee of Amazon Web Services Inc., according to people familiar with the matter. The criminal complaint says Ms. Thompson’s résumé showed she worked at a cloud-computing company, which the government didn’t name, as a systems engineer from 2015 to 2016.
A spokesman for Amazon didn’t immediately respond to a request for comment.
The breach compromised approximately 140,000 Social Security numbers and 80,000 bank account numbers, as well as some customers’ credit scores, payment histories and credit limits. It follows a breach in 2017 at credit-reporting company Equifax Inc., which exposed the data of nearly 150 million Americans and focused public and congressional attention on the sensitive information that financial companies keep on their customers.
The Capital One breach could prove to be damaging if criminals use the stolen information to apply for credit in the names of the most creditworthy or affluent people. Unlike most large U.S. card issuers, Capital One customers also include many subprime consumers.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, the bank’s chairman and chief executive. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Although the bank said it is unlikely the stolen information was disseminated or used for fraud, the criminal complaint alleges Ms. Thompson intended for the data to be distributed online. The bank said that its investigation continues and that the incident is expected to cost approximately $100 million to $150 million.
Ms. Thompson, who is charged with one count of computer fraud and abuse, allegedly accessed the bank’s data through a misconfigured firewall.
A lawyer for Ms. Thompson, who appeared in Seattle federal court for an initial hearing, didn’t immediately respond to a request for comment.
Under the username “erratic,” Ms. Thompson boasted online about her alleged theft of the data, which allowed law enforcement to quickly identify her, according to prosecutors.
The breach occurred in late March, the bank said. This month, an ethical hacker—a person who hacks into a network to test its security—emailed Capital One about the leak of its data, and the bank alerted law enforcement July 19.
Among large banks, Capital One has been an enthusiastic adopter of the cloud for data storage. In its April earnings call, Mr. Fairbank talked about the bank’s technology transformation over the past 25 years. “What we’re doing at Capital One is building a technology company that does banking, instead of a bank that just uses technology,” he said.
The bank has also been public in its embrace of Amazon Web Services. It has closed data centers and shifted those activities to Amazon, a process it expects to complete fully in 2020. The bank’s executives have been featured speakers at Amazon conferences and said that the firm’s use of the cloud has helped the bank handle spikes in computing-power needs, such as credit-card purchases on Black Friday, and roll out products faster to customers.
Banks have moved cautiously to the cloud, partly because of security concerns and the need to keep certain customer and transaction data walled off.
Older mainframe systems, often patched together as a result of bank mergers, can make such a move a major undertaking. Capital One Reports Data, Capital One Reports Data,Capital One Reports Data, Capital One Reports Data, Capital One Reports Data
The Capital One Data Breach: What It Means for You
A hacker accessed personal information of over 100 million credit-card customers and applicants. Here’s what you need to know to protect your information.
In this latest massive consumer-data breach, a hacker accessed the personal information of 100 million Capital One credit-card customers and applicants in the U.S. and six million in Canada.
The breach stands to be one of the worst for U.S. consumers because of the type of financial information that was accessed. This valuable consumer financial information can be used to figure out the identities of the most creditworthy or affluent consumers and open a card or loans in their names.
Here’s what you need to know if you have a Capital One credit card or have applied for one in the past, and how to protect your accounts and information.
• I Have A Capital One Credit Card. What Happened?
Sensitive identity information about consumers and small businesses who applied for Capital One credit cards between 2005 and 2019 was exposed. So if you have a Capital One credit card, or have applied for one in that time frame, your information is part of this data breach.
The information leaked includes names, addresses, ZIP Codes, phone numbers, email addresses, dates of birth and self-reported income, the bank said. Consumer data including credit scores, credit limits, balances, payment history and some transaction data are also part of the breach. Also exposed were about 140,000 Social Security numbers and 80,000 linked bank account numbers.
•What Can Someone Do With This Info?
This information can be used to apply for credit cards. Currently, Capital One says it’s unlikely that the stolen information was sold or disseminated.
From an identity-theft perspective, the Capital One breach is less widespread than the Equifax hack because more Social Security numbers were compromised in the Equifax breach. Someone having your Social Security number means they can more easily spin up an unauthorized account in your name, said CreditCards.com industry analyst Ted Rossman.
Still, the data in the Capital One hack is some of the most valuable information about consumers and their credit standing.
• What Should I Do Now?
There are three things those who either have a Capital One credit card or applied for one should do immediately.
Freezing your credit will prevent new lines of credit from being opened in your name, and it doesn’t affect your credit score. It is free and guaranteed by federal law. Credit-reporting agencies must freeze your credit within one business day if you make the request by phone. Be sure to write down the PIN the credit bureau gives you when you freeze your credit so you can lift the freeze. You can also place a fraud alert when you’re contacting the credit bureaus, which will make it harder for someone to open an account or credit card in your name.
Then, change your passwords. Though Capital One says login information wasn’t compromised in this hack, reusing old passwords is a major security vulnerability. More than eight in 10 Americans reuse passwords online,according to a 2019 poll from CreditCards.com.
After that, set up two-factor authentication for all your financial profiles and online accounts. Having to log in via a code sent to your cellphone is another barrier to keep your information safe from hackers.
Lastly, monitor your credit-card activity and credit reports. Capital One said they’ll notify everyone affected in the hack “through a variety of channels,” and for the people compromised, they’ll also be offering free credit monitoring and identity protection.
• Will I Get Called Or Emailed About This Data Breach?
Capital One says it isn’t calling customers about this incident. The bank says you shouldn’t give out personal information over the phone or email if you are contacted about this data breach.
• What Else Can I Do?
The investigation is ongoing, so the best thing for Capital One credit-card holders to do is to keep following the story. You can also check the Capital One website for customer updates.
Even if you weren’t compromised in this hack, Mr. Rossman said these steps can help everyone protect their information against future breaches.
“I think these things are all good steps in general, even beyond Capital One,” he said. “I would just assume your data is out there, whether it’s this or Equifax or Target or Home Depot …This isn’t the first and it won’t be the last.”
Federal Prosecutors Accuse Capital One Hacker of Hitting Dozens More Targets
Paige A. Thompson could face additional charges over the alleged theft of multiple terabytes of data.
The woman charged with hacking into millions of Capital One Financial Corp. records hit more than 30 other targets, federal prosecutors said, significantly expanding the scale of what was already considered one of the largest heists of data stored in the cloud.
Paige A. Thompson, a former Amazon.com Inc. employee, was arrested on July 29, and charged with stealing 106 million Capital One records in one of the largest-ever bank-data thefts. Ms. Thompson also stole multiple terabytes of data from more than 30 other companies, educational institutions and others, prosecutors said in a court filing Tuesday.
Ms. Thompson, who has remained in custody, is scheduled to appear at a bail hearing Aug. 22.
Prosecutors, citing Ms. Thompson’s past behavior, asked the court to deny bail out of concern she would “resort to threats, violence, or cybercrime.” They said Ms. Thompson had a “long history” of threatening to kill others and herself. Prosecutors also said they consider Ms. Thompson a flight risk.
In online discussion forums, Ms. Thompson expressed frustration over her 2016 dismissal from Amazon, and subsequent inability to find employment.
She claimed to earn money by installing cryptocurrency-mining software on some of the computer systems she accessed. Security experts who have viewed her posts said Ms. Thompson displayed a high level of technical knowledge on the inner workings of Amazon’s cloud.
Earlier this week, Ms. Thompson declined a request from The Wall Street Journal for an interview, relayed to her by prison officials. Her lawyer didn’t immediately respond to a request for comment on the latest accusations.
Ms. Thompson allegedly exploited a common cloud configuration problem to access the Capital One data. The bank has taken responsibility for not adequately securing its systems, but the incident also has raised questions about whether Capital One’s cloud-computing provider, Amazon, could do more to protect its customers. Amazon, the world’s largest cloud-computing company, has said that none of its services were the underlying cause of the break-in.
An Amazon spokesman on Wednesday said that the company is now running checks and alerting customers if they have the kind of firewall misconfiguration that Ms. Thompson allegedly exploited. “Other than Capital One, we haven’t yet heard from customers about a significant loss,” he said in an email.
Amazon is also considering additional changes that it can make to its cloud subsystems that will better protect its customers, the company said in a letter dated Wednesday and sent in response to questions about the breach raised last week by Sen. Ron Wyden (D., Ore.).
In a statement, Sen. Wyden said that while he appreciates the steps Amazon is taking to address these security issues, the company still needs to do more to protect its customers. “Without additional action, I fear we will continue to see repeats of the Capital One breach, with American consumers as the real victims,” he said.
Ms. Thompson’s alleged hack was discovered after she posted details about her hack online, leading a tipster to notify Capital One.
Prosecutors said they expect to add to the charges against Ms. Thompson for each additional entity hit. “Although not all of those intrusions involved the theft of personal identifying information, it appears likely that a number of the intrusions did,” prosecutors said.
The investigation into who exactly was targeted and what information was taken continues, they said.
The latest filings didn’t say whether all of the affected companies are Amazon customers.
In online postings viewed by the Journal, Ms. Thompson suggested she had accessed data at several other entities, including Ford Motor Co. , UniCredit SpA, Italy’s largest bank, and Michigan State University. Ford said it wasn’t affected. UniCredit and Michigan State University have said they were investigating the incident.
The impact of Ms. Thompson’s crime, prosecutors said, “will be immense.” Capital One has said the data breach will cost it as much as $150 million. A Capital One spokeswoman didn’t immediately return messages seeking comment.
Prosecutors, in their latest court submission, also detail several of the run-ins Ms. Thompson had with law enforcement before her arrest last month.
In March, police were called to Ms. Thompson’s Seattle residence after she allegedly tried to strike a roommate. Police again were called to the house two months later after Ms. Thompson allegedly had threatened to “shoot up” the office of an unnamed California technology company, prosecutors said. Capital One Reports Data, Capital One Reports Data
Contacting The Agencies:EQUIFAX