Capital One announced Monday that they had been the victim of a data breach. As many as six million people in Canada and 100 million people in the United States had personal information stolen, which included names, addresses, phone numbers, postal codes, email addresses, birth dates and self-reported income. Capital one said that 1 million Social Insurance Numbers (SIN) in Canada were also compromised.
The good news is that the FBI have arrested the alleged hacker. The U.S. Department of Justice said 33-year-old Paige A. Thompson, alias “erratic,” was detained in connection with the hack, pending a hearing that’s expected to happen on Thursday. Thompson was arrested on a criminal complaint that charged computer fraud and abuse for intruding on Capital One’s stored data.
The criminal complaint charged that Thompson posted on GitHub about having stolen info from servers that stored data for Capital One. She allegedly managed to do this thanks to a “misconfigured web application firewall” that allowed the data to be accessed. Thompson worked at the Cloud Computing Company, Amazon Web Services from 2015 to 2016, which is where it is suspected she accessed this information. A GitHub user notified Capital One on July 17 that the data may have been compromised. If found guilty, Thompson could face a $250,000 fine and up to five years behind bars.
The information exposed was largely linked to consumers and small businesses that applied for Capital One credit card products between 2005 and early 2019, the company said in a news release. Customer status data, such as credit limits, scores, balances and payment histories were also breached, but Capital One says no one’s credit card account numbers or login information was compromised. “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Capital One chairman and CEO Richard Fairbank said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.” Capital One is also offering free credit monitoring and identity protection for people who have been affected. Capital One has also fixed the vulnerability that allowed the hacker entry.
The bad news for Capital One is that New York State has launched an investigation into the breach. New York Attorney General Letitia James said in a statement, “My office will begin an immediate investigation into Capital One’s breach and will work to ensure that New Yorkers who were victims of this breach are provided relief. We cannot allow hacks of this nature to become everyday occurrences.” It’s only a matter of time before other jurisdictions follow suit. A class action suit has already been filed in the federal court in Washington, D.C. by Kevin Zosiak, a Stamford, Connecticut resident who said he is a Capital One credit card customer whose personal information was compromised. The day after the announcement of the breach, shares plummeted 6.1%.
While it’s still early, there are some things that businesses can learn from this type of breach. Active monitoring, coupled with vulnerability and remediation management, might have prevented this breach, as the alleged hacker says she was able to get in via a firewall vulnerability. Addressing compliance and ensuring 3rd party partners are meeting compliance objectives are also important. Lastly, when all else fails, having a breach readiness plan is important. Uzado's BRaaS (Breach Readiness as a Service) offers customers a proven proactive approach in preparation for a breach. Uzado will work with organizations to set up policies and procedures, form response teams where individuals will be assigned specific roles and establish the required channels of communications.