The popularized Capital One slogan, "what's in your wallet", doesn't sound all that great at the moment as the fifth-largest U.S. credit-card issuer is hit with one of the largest data breaches of a big bank. The data breach was conducted by Paige A. Thompson, 33 years old, who was arrested in connection with the hack by federal agents in Seattle.
Thompson is accused of attacking Capital One through a firewall that gave access to customer data stored on Amazon's cloud service. The data is said to belong to upwards of 100 million customers and Capital One applicants that may have applied for credit or accounts in the past between 2005 and early 2019. The data specifics include addresses, birth dates, and even self-reported incomes.
Reportedly, Ms. Thompson is a former employee of Amazon Web Services Inc., which is the service utilize by Capital One to store their customer data. By working for the cloud service from 2015 to 2016 as a system engineer, Ms. Thompson may have gained the necessary knowledge to help her to infiltrate Capital One's customer data.
Hacker was going to share compromised Capital One customer data
As investigators look into the hacking matter, it is being stated in a criminal complaint that Thompson attempted to share the hacked data with others online. The incident that looks to have compromised over 100 million Capital One customers and applications, took place on March 22nd and 23rd and at the time repaired the vulnerability that Thompson was able to exploit through a misconfigured web application firewall. In repairing the vulnerability, Capital One has said it is "unlikely that the information was used for fraud or disseminated by this individual."
Capital One is still investigating the situation while its CEO, Richard Fairbank, said in a statement, "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
Among the 100 million customers potentially affected by the data breach, 6 million of them are located in Canada while the rest are based in the United States. Capital One assures customers and credit applicants that no credit card account numbers or login credentials were compromised along with over 99% of Social Security numbers.
FBI agents investigating Thompson say that she tweeted how she wanted to distribute Social Security numbers with names and other customer data. Thompson is being charged with one count of computer fraud and abuse and could face serious time behind bars to make yet another example out of a hacker who attacked a large institution and compromised large amounts of consumer data.
What will Capital One do for those affected by the data breach?
Currently, Capital One is notifying people affected by the breach and will take the necessary actions to offer free credit monitoring and identity theft protection. They expect that providing such services along with tech and legal costs due to the hacking incident to be between $100 million to $150 million.
As banks look to streamline data centers and move towards cloud storage, it raises the question of whether such moves are safe and could lead to more attacks like the Capital One data breach. We suspect the Capital One hacking case will be an eye-opener for other institutions and lead to others to tread carefully in their decisions and data storage solutions in the future. Instead of asking "what's in your wallet", maybe banks should ask "where's your data stored, and is it safe?"