Capital One Gets In On The Data Breach Action, Coughs Up Info On 100 Million Customers To A Single Hacker

from the another-company-tells-customers-to-look-under-their-seats-for-free-credit-monito dept

Another day, another major data breach.

In one of the largest thefts of data from a bank, a software engineer in Seattle hacked into a server holding customer information for Capital One and stole millions of credit card applications, federal prosecutors said on Monday.

The suspect, Paige Thompson, left a trail online for investigators to follow, according to court documents in Seattle, where she was charged.

Let’s go ahead and move on from the New York Times’ use of the words “theft” and “stole” to refer to the exfiltration of a copy of data Capital One still holds and on to the fact that the only thing unusual about this breach is that a suspect has already been arrested and charged.

The timetable is pretty tight too, if Capital One is being honest about when it first discovered the breach.

Capital One Financial Corporation (NYSE: COF) announced today that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.

That’s a big “if” — one that’s certainly called into question by the swift apprehension of a suspect. Maybe this is all on the level. Even if it is, does it matter? Companies collecting massive amounts of data are still, on the whole, pretty cavalier about data security, even as breach after horrifying breach is announced.

Given the data obtained, it almost seems like it would have been far less labor-intensive to just scour the web for a copy of the Equifax breach and download that instead. The Venn diagram of the sensitive data likely has a significant overlap.

Then there’s the press release by Capital One, which inadvertently shows how little it really cares what happens to customers’ sensitive information.

No bank account numbers or Social Security numbers were compromised, other than:

About 140,000 Social Security numbers of our credit card customers

About 80,000 linked bank account numbers of our secured credit card customers


Nothing was compromised but the stuff that was compromised. This is the laziest spin I’ve ever seen applied to a data breach. And I’ve seen the federal government in action.

And hooray for American exceptionalism?

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.

Let’s not step up to congratulate the G-men for their swift apprehension of the suspect. It appears the person accused of hacking Capital One’s data engaged in zero opsec, turning the difficulty level down to “Easy” for investigators.

“I’ve basically strapped myself with a bomb vest,” Ms. Thompson wrote in a Slack post, according to prosecutors, “dropping capital ones dox and admitting it.”

Online, she used the name “erratic,” investigators said, adding that they verified her identity after she posted a photograph of an invoice she had received from a veterinarian caring for one of her pets.

All told, more than 100 million people are affected by this breach. Some are more affected than others, but this puts the Capital One breach on par with the Equifax breach in terms of potential victims. Unlike Equifax, the exfiltrated information was voluntarily given to Capital One by its customers, rather than harvested en masse without explicit consent for the sole purpose of selling to creditors.

And while the data stores of Rome are burning, the US government fiddles. Meaningless settlements do nothing to encourage better security efforts and the head of the DOJ is spending his time arguing against strong encryption. It’s time to retire the sunglasses. The future isn’t all that bright after all.

Filed Under: , , , ,
Companies: capitol one

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Capital One Gets In On The Data Breach Action, Coughs Up Info On 100 Million Customers To A Single Hacker”

Subscribe: RSS Leave a comment
Anonymous Coward says:

I think you are missing something important.

It seems that an ex-Amazon employed pulled it from the data they stored on Amaon systems. AKA the bank gave Amazon the data (probably in the hopes that Amazon wouldn’t look at it).

Bare minimum responsiblity would have been for the data to be stored encrypted.
(in other words do not store sensative data in the clear on third party systems…. humans have known this about as long as the idea of ‘secrets’ has existed)

Anonymous Coward says:

Re: Re:

Bare minimum responsiblity would have been for the data to be stored encrypted.

Or not stored. Private data is toxic waste, and they had waste from 2005 still. Why do they need to instantly, and from anywhere, look at 14-year-old credit applications and all the private data they contain? Even if they needed the data, they’d have been better off using a filing cabinet, and then a leak would have been a few thousand records only. (And someone might have said "this is getting kind of full, let’s shred the old stuff".)

Anonymous Coward says:

Re: Re: Re: Re:

How the hell can you get a copy of the dataset as in a court case I know of Capital One told the court they DIDN’T have that 2005 vintage CC application data.

The NYT link ("another major data breach") says that’s the data they got. Maybe Capital One didn’t have all the data, maybe they lied in court, maybe the hacker’s just better at finding data (or cares more) than their employees.

Anonymous Coward says:

Are Card Issuers Subject to PCI compliance?

I don’t know for sure, the PCI compliance documentation is like trying to read oatmeal but I unfortunately imagine this involves some broken laws on Capitol One’s part. I’m also a (Canadian) Capitol One cardholder so guess I’ll find out a little more as this goes on.

OGquaker says:

Re: Re: Are Card Issuers Subject to PCI compliance?

As State Treasurer of the Green Party, i was ‘forced into ‘compliance’ with new credit card rules with all of our card processors, who billed us fee after fee each month, a cost many times the donations we were receiving most months. I could not hold a cardholder’s name & number in this computer, Bla Bla; the fine was $10.oo. No in-house Corporate attorney would bother to open a letter about a ten dollar fine assessment.

Anonymous Coward says:

So, she knew enough and was clever enough to be able to hack into Capital 1 but wasn’t clever enough to be able to keep her identity and whereabouts hidden? Even ‘worse’, she managed to allow the feds to get hold of everything they need to be able to arrest her and have sufficient evidence to indict, all within a matter of days! Yeah, right! As has happened so many times before, i can feel a set-up coming into play here!

OGquaker says:

Re: Re:

Regrettably, the mine canary is always the first to be sacrificed.
Without an MBA and Certified Credentials from A Satisfactory Authority and Written Permit-sion, she is scum by default. Dostoyevsky’s idiot is wise and correct, thus the name calling.

If she had in anyway disguised her breach, she would be way further up the river.

A.C. says:

Re: knew enough

She knew enough to have had a job with AWS and to have had the credentials needed to steal info. Many people in IT know their specific area but have little knowledge of other areas.

She clearly didn’t know much about information technology forensics. I know many people in IT who don’t know as much about privacy and covering tracks as the average non-IT professional.

The only reason this looks like a setup to you is that your sexist world view can’t acknowledge that women can commit extortion or steal from former employers.

Anonymous Coward says:

There are other problems with Capone

Hopefully reporters can ask some questions about CapOne and the rest of CC industry.

3 separate providers having these screw-ups makes me think there is a common back end set of code.

Walmart card cancelled. 1.5 years later a new card for walmart arrives with a letter saying it has upgraded tech. It works. After paid off, cancelled.

Ebay – did not complete the CC application. 1 year 2 months later letter arrives. Your card XXXX XXXX 6543 2109 did not get mailed the proper communication the FDCPA demands so here is this information. (yes the 8 digits are fake. But why send a letter with the 1st 8 Xed out as the last digits are the hard part to guess) No ebay CC appears on credit report.

CapOne – card is cancelled by customer. 8 months after cancellation a replacement chip and pin card is send. A year and a half after that was done they started to send cash advance checks to a PO box as the old address was invalid. FDCPA violations of not sending the yearly notice along with sending to a PO Box and not having a valid physical address.

Either all 3 firms suck or there is a common backend that sucks.

Anonymous Coward says:

Capital One's Due Diligence might hang them...

When Capital One signed up w/ AWS, they undoubtedly performed due diligence complete with written checklists and the like. They obviously asked things such as:

1) Show us your redundant power supply
2) Show us your redundant water and cooling systems
3) Tell us what you do regarding outsiders accessing data.
4) Show us your logging facilities and what you do to keep the logs separate from the data.

etc., etc., etc.

It would be interesting to see their work papers regarding questions about how they protect data from insiders (80% of all incidents come from the inside according to the FBI). If they failed to go down the path of determining risk from inside threats, they will have "a lot of splainin" to do.

fairuse (profile) says:

skip to the easy part

From the Capital One Announcement:
"Was the data encrypted and/or tokenized?
We encrypt our data as a standard. Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data.

However, it is also our practice to tokenize select data fields, most notably Social Security numbers and account numbers. Tokenization involves the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data. Tokenized data remained protected."

Seems to imply access via all the proper access information not deleted from employee X and employee X is flipping off Capital One. Not a real Hack but bad access rights management.

I’m not IT(tried it – made me hate job) I have plenty of fun at hardware coding. Oops, retired,

Too much is missing from articles – why did "suicide bomb vest" comment get no questions. Payback is a bitch via scorned employees.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...