Update: June 18, 2022 - Ex-Amazon Worker Paige Thompson arrested and Convicted in Capital One Hacking.Financial Corporation firm Capital One has announced a data breach that has exposed the personal information of 100 million users which includes credit card data, payment details, bank account numbers, and social security numbers also.
The notification of the data breach came up after a white hat hacker reported a vulnerability to Capital One on June 17th, 2019. After getting deeper into the reported issue, the Capital One team found unauthorized access to their systems and customer data between March 22nd and 23rd of 2019.
The security team of Capital One found that unauthorized users had access to the information of 100 million people in the United States and 6 million people in Canada. Later on, they share the hacking incident with the law enforcement / FBI and also patched the vulnerability.
On the security incident notice, Capital One says-
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:
- Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
- Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
No bank account numbers or Social Security numbers were compromised, other than:
- About 140,000 Social Security numbers of our credit card customers
- About 80,000 linked bank account numbers of our secured credit card customers
As Capital One has notified the hacking incident to the FBI. They had found the suspect also. A 33years old lady. Paige Thompson had been arrested in connection to this hack.
According to the statement of the Department of Justice (DoJ), Thompson posted a comment on GitHub about her accessing Capital One's data.
The intrusion occurred through a misconfigured web application firewall that enabled access to the data. On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft.Capital One will be notifying each user who was affected by email and will be providing free credit monitoring service.
Due to the amount of personal information that was exposed and how it can be used for identity theft, it is strongly advised that users monitor their credit reports for suspicious activity and immediately report anything detected to both the police, Capital One, and the credit agencies.
Ex-Amazon worker convicted
A former Amazon engineer who was accused of stealing customers’ personal information from Capital One in one of the largest breaches in the United States was found guilty of wire fraud and hacking charges on Friday.
A Seattle jury found that Paige Thompson, 36, had violated an anti-hacking law known as the Computer Fraud and Abuse Act, which forbids access to a computer without authorization. The jury found her not guilty of identity theft and access device fraud.
Ms Thompson had worked as a software engineer and ran an online community for other workers in her industry. In 2019, she downloaded personal information belonging to more than 100 million Capital One customers. Her legal team argued that she had used the same tools and methods as ethical hackers who hunt for software vulnerabilities and report them to companies so they can be fixed.
But the Justice Department said that Ms Thompson had never planned to alert Capital One to the problems that gave her access to customers’ data and that she had bragged to her online friends about the vulnerabilities she uncovered and the information she downloaded. Ms Thompson also used her access to Capital One’s servers to mine cryptocurrency, the Justice Department said.