Over 100 million Capital One customers have had their personal data hacked in a massive breach that exposed social security numbers, linked bank accounts, birth dates, phone numbers, and even transaction histories.
Personally-identifying information from the credit card applications of about 100 million Americans and 6 million Canadians has been stolen in one of the largest-ever bank hacks in the US, Capital One has acknowledged in a press release on Monday. The bank launched into damage control mode almost immediately, pinning the breach on one “highly sophisticated individual” who penetrated the bank’s defenses, but emphasizing that “no other instances” of the specific “configuration vulnerability” were found. Also, it took a third-party bug-hunter to bring the vulnerability to Capital One’s notice earlier this month, and they still took two days to find the breach.
But there’s a silver lining – “only” about one percent of the multitudes of hacked individuals had their social security numbers and bank accounts compromised – which still adds up to a staggering number given the massive scale of the hack. “Only” 140,000 social security numbers and “only” 80,000 bank account numbers for US customers, plus about 1 million Canadians' social insurance numbers were compromised.
Other victims had names, addresses, phone numbers, email addresses, birthdates, credit scores, and self-reported incomes stolen – all information supplied by customers and small businesses who applied for Capital One credit cards between 2005 and 2019. Capital One claimed “tokenized” encrypted data such as social security numbers remained protected during the breach, but did not explain how the unlucky one percent had that information stolen anyway. The bank promised to “incorporate the learnings from this incident to further strengthen [its] cyber defenses.”
Former Amazon Web Services employee Paige Thompson has been arrested and charged with a single count of computer fraud related to the hack. She faces up to five years in prison and a $250,000 fine. Thompson allegedly accessed Capital One’s data, which was stored in the Amazon Web Services cloud, through a misconfigured firewall. She then posted on GitHub about stealing the information, according to a Justice Department press release. An internet Good Samaritan saw the post and informed Capital One about the data theft.
While the Justice Department claims Thompson “used insider knowledge” to steal Capital One’s data, an Amazon spokesperson said the breach the bank described “didn’t require insider knowledge.” Capital One has fervently denied the role cloud storage played in the hack, claiming “this type of vulnerability is not specific to the cloud” and instead boasting that “the speed with which we were able to diagnose and fix this vulnerability, and determine its impact, was enabled by our cloud operating model.”