Capital One Gets In On The Data Breach Action, Coughs Up Info On 100 Million Customers To A Single Hacker

from the another-company-tells-customers-to-look-under-their-seats-for-free-credit-monito dept

Another day, another major data breach.

In one of the largest thefts of data from a bank, a software engineer in Seattle hacked into a server holding customer information for Capital One and stole millions of credit card applications, federal prosecutors said on Monday.

The suspect, Paige Thompson, left a trail online for investigators to follow, according to court documents in Seattle, where she was charged.

Let's go ahead and move on from the New York Times' use of the words "theft" and "stole" to refer to the exfiltration of a copy of data Capital One still holds and on to the fact that the only thing unusual about this breach is that a suspect has already been arrested and charged.

The timetable is pretty tight too, if Capital One is being honest about when it first discovered the breach.

Capital One Financial Corporation (NYSE: COF) announced today that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.

That's a big "if" -- one that's certainly called into question by the swift apprehension of a suspect. Maybe this is all on the level. Even if it is, does it matter? Companies collecting massive amounts of data are still, on the whole, pretty cavalier about data security, even as breach after horrifying breach is announced.

Given the data obtained, it almost seems like it would have been far less labor-intensive to just scour the web for a copy of the Equifax breach and download that instead. The Venn diagram of the sensitive data likely has a significant overlap.

Then there's the press release by Capital One, which inadvertently shows how little it really cares what happens to customers' sensitive information.

No bank account numbers or Social Security numbers were compromised, other than:

About 140,000 Social Security numbers of our credit card customers

About 80,000 linked bank account numbers of our secured credit card customers

Wat.

Nothing was compromised but the stuff that was compromised. This is the laziest spin I've ever seen applied to a data breach. And I've seen the federal government in action.

And hooray for American exceptionalism?

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.

Let's not step up to congratulate the G-men for their swift apprehension of the suspect. It appears the person accused of hacking Capital One's data engaged in zero opsec, turning the difficulty level down to "Easy" for investigators.

“I’ve basically strapped myself with a bomb vest,” Ms. Thompson wrote in a Slack post, according to prosecutors, “dropping capital ones dox and admitting it.”

Online, she used the name “erratic,” investigators said, adding that they verified her identity after she posted a photograph of an invoice she had received from a veterinarian caring for one of her pets.

All told, more than 100 million people are affected by this breach. Some are more affected than others, but this puts the Capital One breach on par with the Equifax breach in terms of potential victims. Unlike Equifax, the exfiltrated information was voluntarily given to Capital One by its customers, rather than harvested en masse without explicit consent for the sole purpose of selling to creditors.

And while the data stores of Rome are burning, the US government fiddles. Meaningless settlements do nothing to encourage better security efforts and the head of the DOJ is spending his time arguing against strong encryption. It's time to retire the sunglasses. The future isn't all that bright after all.

Filed Under: credit cards, data breach, hacks, paige thompson, social security numbers
Companies: capitol one


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 30 Jul 2019 @ 11:38am

    I need a good lawyer.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Jul 2019 @ 11:46am

      Re:

      Now that I read the article and given the bank's admission of data breached and the non-chalant attidude about the breach, any lawyer will do.

      reply to this | link to this | view in chronology ]

  • identicon
    JLofty, 30 Jul 2019 @ 11:41am

    Kreb's take

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jul 2019 @ 12:01pm

    I think you are missing something important.

    It seems that an ex-Amazon employed pulled it from the data they stored on Amaon systems. AKA the bank gave Amazon the data (probably in the hopes that Amazon wouldn't look at it).

    Bare minimum responsiblity would have been for the data to be stored encrypted.
    (in other words do not store sensative data in the clear on third party systems.... humans have known this about as long as the idea of 'secrets' has existed)

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Jul 2019 @ 12:37pm

      Re:

      Bare minimum responsiblity would have been for the data to be stored encrypted.

      Or not stored. Private data is toxic waste, and they had waste from 2005 still. Why do they need to instantly, and from anywhere, look at 14-year-old credit applications and all the private data they contain? Even if they needed the data, they'd have been better off using a filing cabinet, and then a leak would have been a few thousand records only. (And someone might have said "this is getting kind of full, let's shred the old stuff".)

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 30 Jul 2019 @ 12:54pm

        Re: Re:

        Hey, while I completely agree with you, dissing their fetishes may hurt their feelings (Or at least that the most plausable explination the doesn't reflect TOO badly on them).

        reply to this | link to this | view in chronology ]

      • identicon
        alternatives(), 31 Jul 2019 @ 3:17am

        Re: Re:

        Wait a sec - old credit application data was ALSO in that set?

        How the hell can you get a copy of the dataset as in a court case I know of Capital One told the court they DIDN'T have that 2005 vintage CC application data.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 31 Jul 2019 @ 5:20am

          Re: Re: Re:

          How the hell can you get a copy of the dataset as in a court case I know of Capital One told the court they DIDN'T have that 2005 vintage CC application data.

          The NYT link ("another major data breach") says that's the data they got. Maybe Capital One didn't have all the data, maybe they lied in court, maybe the hacker's just better at finding data (or cares more) than their employees.

          reply to this | link to this | view in chronology ]

  • identicon
    pixelation, 30 Jul 2019 @ 12:36pm

    The big question

    How many of this type of data exfiltration have we not heard about yet?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jul 2019 @ 1:02pm

    What’s in your wallet?

    Hackers, apparently.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jul 2019 @ 1:32pm

    Are Card Issuers Subject to PCI compliance?

    I don't know for sure, the PCI compliance documentation is like trying to read oatmeal but I unfortunately imagine this involves some broken laws on Capitol One's part. I'm also a (Canadian) Capitol One cardholder so guess I'll find out a little more as this goes on.

    reply to this | link to this | view in chronology ]

    • identicon
      AricTheRed, 30 Jul 2019 @ 1:51pm

      Re: Are Card Issuers Subject to PCI compliance?

      One Rule for Me
      Another for Thee.

      The requirements for PCI Compliance is mostly put on the Merchant, not Issuers not Processors.

      The Issuers and Processors wrote the rules.

      reply to this | link to this | view in chronology ]

      • identicon
        OGquaker, 30 Jul 2019 @ 7:24pm

        Re: Re: Are Card Issuers Subject to PCI compliance?

        As State Treasurer of the Green Party, i was 'forced into 'compliance' with new credit card rules with all of our card processors, who billed us fee after fee each month, a cost many times the donations we were receiving most months. I could not hold a cardholder's name & number in this computer, Bla Bla; the fine was $10.oo. No in-house Corporate attorney would bother to open a letter about a ten dollar fine assessment.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jul 2019 @ 4:47pm

    So, she knew enough and was clever enough to be able to hack into Capital 1 but wasn't clever enough to be able to keep her identity and whereabouts hidden? Even 'worse', she managed to allow the feds to get hold of everything they need to be able to arrest her and have sufficient evidence to indict, all within a matter of days! Yeah, right! As has happened so many times before, i can feel a set-up coming into play here!

    reply to this | link to this | view in chronology ]

    • identicon
      OGquaker, 30 Jul 2019 @ 7:47pm

      Re:

      Regrettably, the mine canary is always the first to be sacrificed.
      Without an MBA and Certified Credentials from A Satisfactory Authority and Written Permit-sion, she is scum by default. Dostoyevsky's idiot is wise and correct, thus the name calling.

      If she had in anyway disguised her breach, she would be way further up the river.

      reply to this | link to this | view in chronology ]

    • identicon
      A.C., 31 Jul 2019 @ 4:43am

      Re: knew enough

      She knew enough to have had a job with AWS and to have had the credentials needed to steal info. Many people in IT know their specific area but have little knowledge of other areas.

      She clearly didn't know much about information technology forensics. I know many people in IT who don't know as much about privacy and covering tracks as the average non-IT professional.

      The only reason this looks like a setup to you is that your sexist world view can't acknowledge that women can commit extortion or steal from former employers.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jul 2019 @ 3:08am

    There are other problems with Capone

    Hopefully reporters can ask some questions about CapOne and the rest of CC industry.

    3 separate providers having these screw-ups makes me think there is a common back end set of code.

    Walmart card cancelled. 1.5 years later a new card for walmart arrives with a letter saying it has upgraded tech. It works. After paid off, cancelled.

    Ebay - did not complete the CC application. 1 year 2 months later letter arrives. Your card XXXX XXXX 6543 2109 did not get mailed the proper communication the FDCPA demands so here is this information. (yes the 8 digits are fake. But why send a letter with the 1st 8 Xed out as the last digits are the hard part to guess) No ebay CC appears on credit report.

    CapOne - card is cancelled by customer. 8 months after cancellation a replacement chip and pin card is send. A year and a half after that was done they started to send cash advance checks to a PO box as the old address was invalid. FDCPA violations of not sending the yearly notice along with sending to a PO Box and not having a valid physical address.

    Either all 3 firms suck or there is a common backend that sucks.

    reply to this | link to this | view in chronology ]

  • icon
    Thad (profile), 31 Jul 2019 @ 9:51am

    Nothing was compromised but the stuff that was compromised.

    Reminds me of Emo Philips's "No states end in 'A', except..." bit.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jul 2019 @ 10:53am

    Capital One's Due Diligence might hang them...

    When Capital One signed up w/ AWS, they undoubtedly performed due diligence complete with written checklists and the like. They obviously asked things such as:

    1) Show us your redundant power supply
    2) Show us your redundant water and cooling systems
    3) Tell us what you do regarding outsiders accessing data.
    4) Show us your logging facilities and what you do to keep the logs separate from the data.

    etc., etc., etc.

    It would be interesting to see their work papers regarding questions about how they protect data from insiders (80% of all incidents come from the inside according to the FBI). If they failed to go down the path of determining risk from inside threats, they will have "a lot of splainin" to do.

    reply to this | link to this | view in chronology ]

  • identicon
    Donkey-Ho-Tay, 1 Aug 2019 @ 10:06pm

    "she"

    I don't think so, Tim....

    reply to this | link to this | view in chronology ]

  • icon
    fairuse (profile), 6 Aug 2019 @ 10:07pm

    skip to the easy part

    From the Capital One Announcement:
    "Was the data encrypted and/or tokenized?
    We encrypt our data as a standard. Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data.

    However, it is also our practice to tokenize select data fields, most notably Social Security numbers and account numbers. Tokenization involves the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data. Tokenized data remained protected."

    Seems to imply access via all the proper access information not deleted from employee X and employee X is flipping off Capital One. Not a real Hack but bad access rights management.

    I'm not IT(tried it - made me hate job) I have plenty of fun at hardware coding. Oops, retired,

    Too much is missing from articles - why did "suicide bomb vest" comment get no questions. Payback is a bitch via scorned employees.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.