Capital One Data Breach Shows It's High Time for Stringent Data Security Practices
If the sun rises in the east, it is a sign that there will be another massive data breach before sunset. This time, it's the turn of banking institution Capital One.
The company confirmed a data breach in its network exposed the personal information of 106 million people, including transaction data, credit scores, payment history, balances, and in some cases, linked bank accounts and social security numbers.
The breach affects about 100 million U.S. customers and about 6 million individuals in Canada.
The incident came to light on July 19, said the company, adding it alerted the FBI immediately upon patching the vulnerability exploited in the data theft.
"On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers", Capital One stated in a data security incident notice. "This occurred on March 22 and 23, 2019."
The FBI investigation culminated in the arrest of Paige Thompson, a 33-year-old software engineer from Seattle who has been charged with computer fraud and abuse, court records reveal.
According to The New York Times, Thompson "left a trail online," and boasted about the hack, saying she wanted to "distribute" the materials.
Thompson is listed as the organiser of a Meetup group called Seattle Warez Kiddies, described as a gathering for "anybody with an appreciation for distributed systems, programming, hacking, cracking."
Capital One said it found no evidence of fraud or misuse of the accessed information.
The court complaint states a misconfigured firewall allowed commands to be executed on a server that enabled access to "buckets of data" stored in Amazon S3 cloud.
The S3 bucket leak was responsibly disclosed to the company by an external security researcher, which led to the discovery of the unauthorized access.
The suspect, the complaint reads, leveraged Tor and a VPN service called IPredator to unsuccessfully hide her tracks. "The unauthorized access also enabled the decrypting of data," the FAQ states.
Authorities said Thompson used the alias "erratic" in her online communications, posted the stolen data online on software repository platform GitHub, and made statements on social media "evidencing the fact that she has information on Capital One."
"Im like > ipredator > tor > s3 on all this shit," the complaint screenshots a Slack user called erratic saying.
FBI authorities said that, on June 18, a Twitter user with the screen name Erratic sent direct messages to another user that read: "I've basically strapped myself with a bomb vest, fucking dropping capitol ones dox and admitting it. I wanna distribute those buckets i think first. There ssns... with full name and dob."
The unnamed receiver of the above messages sent them to Capital One officials, who also happened to receive an email dated July 17 from someone reporting that sensitive data was posted to Thompson's Github account. It's not immediately clear if they are from the same individual.
The Virginia-headquartered bank said it's in the process of notifying each user who was affected via email and will be providing free credit monitoring services. The hack is expected to cost the company approximately US$ 100 million to US$ 150 million in 2019.
Due to the nature of personal information exposed and the scope for identity theft, it goes without saying the incident underscores the need for proper access reviews when an employee leaves a company.
Thompson had been working for an unnamed cloud-computing company from 2015 to 2016. It appears that the hack made it easy for the intruder to gain credentials for an administrator account, and also granted access to bank data stored under contract by the company.
By ensuring that the systems they had access to are 100 percent inaccessible to them after they leave, the incident could have been avoided. But this is not the first time the bank has suffered a security breach.
In a breach in 2017, Capital One notified customers that a former employee may have had access for nearly four months to their personal data, including account numbers, telephone numbers, transaction history and Social Security numbers.
Last week, the credit bureau Equifax settled claims from a 2017 data breach that exposed sensitive information on over 147 million consumers, costing it about US$ 650 million.
That these security incidents are occurring at a so frequent rate have led to a data-breach fatigue, with people becoming desensitised to the whole idea of privacy and security in a digital world.
Breaches will continue to happen again, and companies that collect our data continue to do not enough to protect it. Fines and oversight can only do so much, and it's high time the companies take their data security responsibilities seriously. Or, unless there is something that forces them to act.
The company confirmed a data breach in its network exposed the personal information of 106 million people, including transaction data, credit scores, payment history, balances, and in some cases, linked bank accounts and social security numbers.
The breach affects about 100 million U.S. customers and about 6 million individuals in Canada.
The incident came to light on July 19, said the company, adding it alerted the FBI immediately upon patching the vulnerability exploited in the data theft.
"On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers", Capital One stated in a data security incident notice. "This occurred on March 22 and 23, 2019."
The FBI investigation culminated in the arrest of Paige Thompson, a 33-year-old software engineer from Seattle who has been charged with computer fraud and abuse, court records reveal.
According to The New York Times, Thompson "left a trail online," and boasted about the hack, saying she wanted to "distribute" the materials.
Thompson is listed as the organiser of a Meetup group called Seattle Warez Kiddies, described as a gathering for "anybody with an appreciation for distributed systems, programming, hacking, cracking."
Capital One said it found no evidence of fraud or misuse of the accessed information.
The court complaint states a misconfigured firewall allowed commands to be executed on a server that enabled access to "buckets of data" stored in Amazon S3 cloud.
The S3 bucket leak was responsibly disclosed to the company by an external security researcher, which led to the discovery of the unauthorized access.
The suspect, the complaint reads, leveraged Tor and a VPN service called IPredator to unsuccessfully hide her tracks. "The unauthorized access also enabled the decrypting of data," the FAQ states.
Authorities said Thompson used the alias "erratic" in her online communications, posted the stolen data online on software repository platform GitHub, and made statements on social media "evidencing the fact that she has information on Capital One."
"Im like > ipredator > tor > s3 on all this shit," the complaint screenshots a Slack user called erratic saying.
FBI authorities said that, on June 18, a Twitter user with the screen name Erratic sent direct messages to another user that read: "I've basically strapped myself with a bomb vest, fucking dropping capitol ones dox and admitting it. I wanna distribute those buckets i think first. There ssns... with full name and dob."
The unnamed receiver of the above messages sent them to Capital One officials, who also happened to receive an email dated July 17 from someone reporting that sensitive data was posted to Thompson's Github account. It's not immediately clear if they are from the same individual.
The Virginia-headquartered bank said it's in the process of notifying each user who was affected via email and will be providing free credit monitoring services. The hack is expected to cost the company approximately US$ 100 million to US$ 150 million in 2019.
Due to the nature of personal information exposed and the scope for identity theft, it goes without saying the incident underscores the need for proper access reviews when an employee leaves a company.
Thompson had been working for an unnamed cloud-computing company from 2015 to 2016. It appears that the hack made it easy for the intruder to gain credentials for an administrator account, and also granted access to bank data stored under contract by the company.
By ensuring that the systems they had access to are 100 percent inaccessible to them after they leave, the incident could have been avoided. But this is not the first time the bank has suffered a security breach.
In a breach in 2017, Capital One notified customers that a former employee may have had access for nearly four months to their personal data, including account numbers, telephone numbers, transaction history and Social Security numbers.
Last week, the credit bureau Equifax settled claims from a 2017 data breach that exposed sensitive information on over 147 million consumers, costing it about US$ 650 million.
That these security incidents are occurring at a so frequent rate have led to a data-breach fatigue, with people becoming desensitised to the whole idea of privacy and security in a digital world.
Breaches will continue to happen again, and companies that collect our data continue to do not enough to protect it. Fines and oversight can only do so much, and it's high time the companies take their data security responsibilities seriously. Or, unless there is something that forces them to act.
Comments
Post a Comment