In past articles I have always said that hackers consist of primarily out of work or disgruntled “Techies” usually booted from an employer, or collage, and they want justice, so in revenge, they go to work hacking the system that fired them. They usually make more hacking than they did doing “real” work in the industry, as in the case of Capital One, The woman who allegedly pulled off one of the largest-ever bank-data heists appeared to have exploited a vulnerability in the cloud that security experts have warned about for years.
Paige A. Thompson, a former employee at Amazon’s cloud-computing unit who was arrested July 29, is accused of carrying out the massive theft of 106 million Capital One Financial records.
The odd thing here is that she didn’t really use a “hack” of sorts, the problem stemmed in part from a misconfigured open-source Web Application Firewall (WAF) that Capital One was using as part of its operations hosted in the cloud with Amazon Web Services (AWS), basically she was looking for front doors on the web that are open. Capital One’s website was one of those open doors. I reached out to Capitol One for a more concise answer to the breach, as I am a customer of Capitol One, as I was also Equifax, and this is what they sent me.
Safeguarding information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses.
What’s the impact
Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.
Importantly, no credit card account numbers or log-in credentials were compromised and less than one percent of Social Security numbers were compromised. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual.
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Beyond the credit card application data, the individual obtained portions of credit card customer data, including:
- Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information.
- Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.
The individual also obtained the following data:
- About 140,000 Social Security numbers of our credit card customers.
- About 80,000 linked bank account numbers of our secured credit card customers.
This information has been shared on Capital One’s website, servicing portal, press release and 8K filing.
We will directly notify these customers through the mail.
For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident. We will directly notify all Canadian customers affected.
For our Canadian credit card customers, please visit our website at www.capitalone.ca/facts2019.
What are we doing to help
Free credit monitoring and identity protection is available to everyone affected.
We recognize that there may be questions or concerns and our customer service line is available at 1-800-227-4825.
Ok, what is not understood is less than 1% equals 140,000 Social Security numbers of our credit card customers, and what about this? About 80,000 linked bank account numbers, that’s the way I pay my Capitol One bill online by direct debit from my banks routing number, we believe it is unlikely that the information was used for fraud or disseminated by this individual. Equifax said the same thing, and a scan of the dark web revealed that my data was found there, what are the odds that I am NOT on this list? Thanks for reading, and remember at “Hunt Technology”, you always get “Quality Service & Individual Attention” you deserve. Hunt Technology, 320 Watson St., Ripon WI, 920-290-0936