Bank Alerted to Cyber Attack After a Tip-Off From the Public
Going public with the news saw Capital One’s stock price drop nearly 6%
One of America’s largest financial institutions, Capital One is picking up the pieces after one of the largest recorded data breaches saw personal information of up to 100-million of its customers compromised in a cyber attack.
Amongst the data impacted are 140,000 social security numbers, 1-million Canadian social insurance numbers, 80,000 bank account numbers as well as an undisclosed number of names, addresses, credit scores, credit limits, balances and other personal information that was housed on Capital One’s cloud server.
The person reportedly responsible for the attack, 33-year-old software engineer, Paige A. Thompson was arrested by the FBI earlier this week, and stands accused of stealing data from Capital One, according to the Justice Department. Thompson previously worked at Amazon Web Services, the cloud hosting company that Capital One was using at the time of the breach.
According to a court filing, she was able to gain access through the exploitation of a misconfigured web application firewall. If convicted, she stands to serve a five-year sentence as well as receiving a $250,000 fine.
The U.S. Department of Justice has said that Capital One was unaware of the hack until a member of the public emailed them with the revelation that personal details of its customers were being posted on GitHub. Capital One reported the breach to the FBI two days later, according to reports.
According to a filing from the Department of Justice, the bank received an email on July 17th detailing the fact that “there appears to be some leaked s3 data of yours in someone’s github/gist.”
‘S3’ in this context refers to Amazon Web Services’ cloud-storage servers that Capital One was using at the time.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Richard Fairbank, Capital One’s chairman and CEO said. “I sincerely apologise for the understandable worry this incident must be causing those affected, and I am committed to making it right,” he said.
Capital One has since issued an official statement on what it calls the ‘data security incident’, confirming that “this event affected approximately 100-million individuals in the United States and approximately 6-million in Canada.”
Capital One stated that “safeguarding our customers’ information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so.”
“We will incorporate the learnings from this incident to further strengthen our cyber defenses,” it said.
A report from USA Today quotes Matt Schulz, chief industry analyst at CompareCards.com, who says the breach is “yet another reminder of why it is so important to build fraud detection checks into your regular routine.”
“These cards are favourites for those who are getting started with credit or who are rebuilding their credit and often have very little financial margin for error,” he said. “There may not be a huge amount of money in these accounts, but it’s very important for cardholders with those accounts to keep as close a watch for fraud as any other type of credit card holder,” Schulz.