Capital One Gets In On The Data Breach Action, Coughs Up Info On 100 Million Customers To A Single Hacker

from the another-company-tells-customers-to-look-under-their-seats-for-free-credit-monito dept

Another day, another major data breach.

In one of the largest thefts of data from a bank, a software engineer in Seattle hacked into a server holding customer information for Capital One and stole millions of credit card applications, federal prosecutors said on Monday.

The suspect, Paige Thompson, left a trail online for investigators to follow, according to court documents in Seattle, where she was charged.

Let's go ahead and move on from the New York Times' use of the words "theft" and "stole" to refer to the exfiltration of a copy of data Capital One still holds and on to the fact that the only thing unusual about this breach is that a suspect has already been arrested and charged.

The timetable is pretty tight too, if Capital One is being honest about when it first discovered the breach.

Capital One Financial Corporation (NYSE: COF) announced today that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.

That's a big "if" -- one that's certainly called into question by the swift apprehension of a suspect. Maybe this is all on the level. Even if it is, does it matter? Companies collecting massive amounts of data are still, on the whole, pretty cavalier about data security, even as breach after horrifying breach is announced.

Given the data obtained, it almost seems like it would have been far less labor-intensive to just scour the web for a copy of the Equifax breach and download that instead. The Venn diagram of the sensitive data likely has a significant overlap.

Then there's the press release by Capital One, which inadvertently shows how little it really cares what happens to customers' sensitive information.

No bank account numbers or Social Security numbers were compromised, other than:

About 140,000 Social Security numbers of our credit card customers

About 80,000 linked bank account numbers of our secured credit card customers

Wat.

Nothing was compromised but the stuff that was compromised. This is the laziest spin I've ever seen applied to a data breach. And I've seen the federal government in action.

And hooray for American exceptionalism?

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.

Let's not step up to congratulate the G-men for their swift apprehension of the suspect. It appears the person accused of hacking Capital One's data engaged in zero opsec, turning the difficulty level down to "Easy" for investigators.

“I’ve basically strapped myself with a bomb vest,” Ms. Thompson wrote in a Slack post, according to prosecutors, “dropping capital ones dox and admitting it.”

Online, she used the name “erratic,” investigators said, adding that they verified her identity after she posted a photograph of an invoice she had received from a veterinarian caring for one of her pets.

All told, more than 100 million people are affected by this breach. Some are more affected than others, but this puts the Capital One breach on par with the Equifax breach in terms of potential victims. Unlike Equifax, the exfiltrated information was voluntarily given to Capital One by its customers, rather than harvested en masse without explicit consent for the sole purpose of selling to creditors.

And while the data stores of Rome are burning, the US government fiddles. Meaningless settlements do nothing to encourage better security efforts and the head of the DOJ is spending his time arguing against strong encryption. It's time to retire the sunglasses. The future isn't all that bright after all.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: credit cards, data breach, hacks, paige thompson, social security numbers
Companies: capitol one


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    AricTheRed, 30 Jul 2019 @ 1:51pm

    Re: Are Card Issuers Subject to PCI compliance?

    One Rule for Me
    Another for Thee.

    The requirements for PCI Compliance is mostly put on the Merchant, not Issuers not Processors.

    The Issuers and Processors wrote the rules.


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.