Capital One Gets In On The Data Breach Action, Coughs Up Info On 100 Million Customers To A Single Hacker
from the another-company-tells-customers-to-look-under-their-seats-for-free-credit-monito dept
Another day, another major data breach.
In one of the largest thefts of data from a bank, a software engineer in Seattle hacked into a server holding customer information for Capital One and stole millions of credit card applications, federal prosecutors said on Monday.
The suspect, Paige Thompson, left a trail online for investigators to follow, according to court documents in Seattle, where she was charged.
Let’s go ahead and move on from the New York Times’ use of the words “theft” and “stole” to refer to the exfiltration of a copy of data Capital One still holds and on to the fact that the only thing unusual about this breach is that a suspect has already been arrested and charged.
The timetable is pretty tight too, if Capital One is being honest about when it first discovered the breach.
Capital One Financial Corporation (NYSE: COF) announced today that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.
That’s a big “if” — one that’s certainly called into question by the swift apprehension of a suspect. Maybe this is all on the level. Even if it is, does it matter? Companies collecting massive amounts of data are still, on the whole, pretty cavalier about data security, even as breach after horrifying breach is announced.
Given the data obtained, it almost seems like it would have been far less labor-intensive to just scour the web for a copy of the Equifax breach and download that instead. The Venn diagram of the sensitive data likely has a significant overlap.
Then there’s the press release by Capital One, which inadvertently shows how little it really cares what happens to customers’ sensitive information.
No bank account numbers or Social Security numbers were compromised, other than:
About 140,000 Social Security numbers of our credit card customers
About 80,000 linked bank account numbers of our secured credit card customers
Nothing was compromised but the stuff that was compromised. This is the laziest spin I’ve ever seen applied to a data breach. And I’ve seen the federal government in action.
And hooray for American exceptionalism?
For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.
Let’s not step up to congratulate the G-men for their swift apprehension of the suspect. It appears the person accused of hacking Capital One’s data engaged in zero opsec, turning the difficulty level down to “Easy” for investigators.
“I’ve basically strapped myself with a bomb vest,” Ms. Thompson wrote in a Slack post, according to prosecutors, “dropping capital ones dox and admitting it.”
Online, she used the name “erratic,” investigators said, adding that they verified her identity after she posted a photograph of an invoice she had received from a veterinarian caring for one of her pets.
All told, more than 100 million people are affected by this breach. Some are more affected than others, but this puts the Capital One breach on par with the Equifax breach in terms of potential victims. Unlike Equifax, the exfiltrated information was voluntarily given to Capital One by its customers, rather than harvested en masse without explicit consent for the sole purpose of selling to creditors.
And while the data stores of Rome are burning, the US government fiddles. Meaningless settlements do nothing to encourage better security efforts and the head of the DOJ is spending his time arguing against strong encryption. It’s time to retire the sunglasses. The future isn’t all that bright after all.