Pierluigi Paganini July 30, 2019

Capital One, one of the largest U.S. –card issuer and financial corporation suffered a data breach that exposed personal information from more than 100 million credit applications.

A hacker that goes online with the handle “erratic” breached the systems at Capital One and gained access to personal information from 106 million Capital One credit applications.

According to the financial institution, law enforcement already identified and arrested the hacker, the DoJ announced on Monday that Paige A. Thompson (33) is suspected to be responsible for the data breach.

“A former Seattle technology company software engineer was arrested today on a criminal complaint charging computer fraud and abuse for an intrusion on the stored data of Capital One Financial Corporation, announced U.S. Attorney Brian T. Moran.” reads the press release published by the DoJ. “PAIGE A. THOMPSON a/k/a erratic, 33, made her initial appearance in U.S. District Court in Seattle today and was ordered detained pending a hearing on August 1, 2019.”

Paige Thompson is a former Amazon Web Services software engineer who worked for a Capital One contractor from 2015 to 2016.

THOMPSON posted about the Capital One hack on GitHub, she exploited a misconfigured web application firewall to get access to the data.  On July 17, 2019, Capital One was informed of the incident by a GitHub user who saw the post.  On July 19, 2019, that financial institution discovered the intrusion and informed the FBI.

“Capital One quickly alerted law enforcement to the data theft — allowing the FBI to trace the intrusion,” said U.S. Attorney Moran.  “I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.”

Capital One confirmed to have immediately fixed the configuration issue exploited by the hacker.

The feds identified the hackers and executed a search warrant at THOMPSON’s residence where they seized electronic storage devices containing a copy of the data. 

Paige A. Thompson was charged with computer fraud and abuse in U.S. District Court in Seattle. She already appeared in court and was ordered to remain in custody pending a detention hearing Thursday.

The security breach data breach took place on March 22nd and 23rd, the hacker accessed information of customers who had applied for a credit card between 2005 and 2019.

“Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada. 

Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Securitynumbers were not compromised.” states a press release published by Capital One.

“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019.”

Exposed data includes names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Attackers also obtained portions of credit card customer data, including: 

• Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
• Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

The hacker accessed bank account numbers and Social Security numbers only for a limited number of customers:

• About 140,000 Social Security numbers of our credit card customers
• About 80,000 linked bank account numbers of our secured credit card customers

Capital One will notify the affected customers and will provide free credit monitoring services to those affected.

Thompson could face up to five years in prison and a $250,000 fine, a hearing has been scheduled for August 1, 2019.

Pierluigi Paganini

(SecurityAffairs – Capital One, Data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]