Last week, Capital One, the fifth-largest U.S. credit-card issuer and banking institution, has suffered a massive data breach exposing the personal information of more than 100 million credit card applicants in the United States and 6 million in Canada.
March 22nd and 23rd 2019 are the dates when the data brach allowed attackers to steal information of customers who had applied for a credit card between 2005 and 2019, Capital One said in a statement.
The security incident only came to light after July 19 when a hacker posted information about the theft on her GitHub account.
The alleged hacker, Paige Thompson a.k.a erratic was arrested by the FBI
A former Amazon Web Services software engineer, 33 y.o., Paige Thompson who worked for a Capital One contractor from 2015 to 2016, was arrested by the FBI in relation to the breach and seized electronic storage devices containing a copy of the stolen data.
Thompson appeared in U.S. District Court and was charged with computer fraud and abuse, which carries up to five years in prison and a $250,000 fine.
Thompson allegedly exploited a misconfigured firewall on Capital One’s Amazon Web Services cloud server and unauthorizedly stole more than 700 folders of data stored on that server sometime in March.
“Capital One quickly alerted law enforcement to the data theft — allowing the FBI to trace the intrusion”
“I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.”U.S. Attorney Moran said.
Amazon Web Services was not compromised in any way since the alleged hacker gained access to the cloud server due to Capital One’s misconfiguration and not through a vulnerability in Amazon’s infrastructure.
The data breach includes approximately 140,000 Social Security numbers and 80,000 bank account numbers linked to American customers, and 1 million Canadian Social Insurance numbers.
Some customers’ names, addresses, dates of birth, credit scores, credit limits, balances, payment history, and contact information were also compromised in the security breach.
In a statement, Capital One assured its customers that “no credit card account numbers or log-in credentials were compromised” and that more than 99% of the Social Security numbers that the company has on file weren’t affected.
“Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement,” Capital One said.
“The FBI has arrested the person responsible. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual.”
Capital One also said it will notify the affected customers and will provide free credit monitoring services to those affected.