The Capital One Data Breach: What’s In Your Wallet May Hurt You

All posts

On July 19, Capital One announced that a hacker gained access to the accounts and credit card applications of more than 100 million customers from the United States and Canada. The breach is one of the largest thefts of data from a bank ever.

A former employee of Amazon Web Services (AWS), the bank’s cloud service provider, illegally accessed the customer data in March 2019. The breach involved names, addresses, dates of birth, credit scores, balances, and other information—including 140,000 Social Security numbers and 80,000 linked bank account numbers dating from 2015 to early 2019. It also includes credit card applications going as far back as 2005. 

While the numbers paint a grim picture, the bank noted in a statement that "no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised.” Still, it’s a black eye for the country’s third-largest credit card issuer.

How did it happen?

According to the FBI, the hacker gained access to the sensitive data through a “misconfiguration” of a firewall on a web application. That allowed the hacker to communicate with the server where Capital One was storing its information and, eventually, obtain customer files.

A criminal complaint says the hacker then tried to share the information with others online. The 33-year-old, who lives in Seattle, had previously worked as a tech company software engineer for Amazon (AMZN) Web Services, the cloud hosting company that Capital One was using, the Justice Department said. She was able to gain access by exploiting a misconfigured web application firewall, according to a court filing.

Thompson posted the information on GitHub, using her full first, middle and last name, the complaint says. She also boasted on social media that she had Capital One information.

In a channel on Slack, a chat service often used by businesses as well as other groups, Thompson explained the method she used to break into Capital One, the Justice Department alleges. She claimed to use a special command to extract files in a Capital One directory stored on Amazon's servers.

Who is affected by the Capital One data breach?

The breach involved 100 million individuals from the United States and 6 million from Canada. 

Unfortunately, Capital One said the bank account numbers were linked to customers with “secured” credit cards, which are frequently used by individuals in vulnerable financial positions. Secured cards require customers to put forth a sum of money in exchange for a card.

Such credit cards are typically held by consumers with low credit scores or no credit history at all. In short, the typical secured credit card customer is someone who is trying to establish, or reestablish, their financial footing. Many of the 80,000 affected customers could have a hard time recovering from an identity theft, if that were to result.

The Capital One Response

In a statement, Capital One indicated it fixed the vulnerability and said it is "unlikely that the information was used for fraud or disseminated by this individual."  Still, the company is investigating to make sure further harm is avoided. 

The statement also indicated that the company plans to notify all individuals affected by the breach, and make credit monitoring and identity protection available at no cost. Between these efforts, technical costs, and legal support, the company expects to incur $100-150 million in expenses related to the hack.

Capital One CEO Richard Fairbank offered his own perspective: “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right," he said.

This is not the first time Capital One has been on the receiving end of a breach. In a breach in 2017, Capital One notified customers that a former employee may have had access for nearly four months to their personal data, including account numbers, telephone numbers, transaction history, and Social Security numbers. The company reported a similar breach involving an employee in 2014.

What can consumers do?

It’s been said a million times before, and we’ll say it again: breaches are the new normal. Consumers should assume that their personal information is not safe, and prepare for the worst. 

It's particularly important for secured credit card customers to take Capital One up on its offer to give free credit monitoring and identity protection. Experts also recommend affected people keep a close eye on their credit reports for any unexplained activity, watch their bank statements for any unfamiliar expenses, and freeze their credit to prevent suspicious activity.

What can companies do?

For any organization—banks or otherwise—the best plan is to prepare for a data breach as if it’s going to happen. Putting controls in place, preparing breach response plans, automating processes, and keeping key personnel up-to-date before a breach occurs are monumental undertakings. 

LogicGate’s Audit and Controls Management software can help you stay on top of the checks-and-balances that keep your company on the right track and out of the headlines. Our automated system will help you manage your company’s compliance standards, significantly reducing the risk of breaches and reputational damage.


All posts

Related Posts

View all posts