Massive Capital One Breach – How did this happen?

I was just in the middle of writing something else when the Capital One story broke.  Considering I’ve already seen it referred to as “the new Equifax,” I thought it might be worth a look (that’s me understating it).  Especially since Equifax was itself in the news again lately for its settlement story.

The full tally right now is 106 million customers affected in both the US and Canada.  If you’ve ever had a Capital One credit card since 2005, then you might have information at risk, including your name, address, financial data and Social Security number (over one million of which were compromised).

The most unique part of this headline so far is the culprit.  A software engineer in Seattle, formerly an employee for Amazon Web Services, has already been arrested as a suspect by the FBI.  If that sounds like a remarkably quick turnaround to you, well you’re right.  But it probably wasn’t the most challenging case the agents have ever worked, given the suspect was publicly boasting about the hack through social media.  “I’ve basically strapped myself with a bomb vest,” wrote Paige Thompson in a Slack post, “dropping capital ones dox and admitting it.”  The FBI agent in charge of the investigation states that the breach was conducted by breaching the AWS firewall, which was supposed to protect the database with the sensitive information.

Despite other online posts claiming she intended to distribute the stolen information, according to the bank no fraud or dissemination seems to have occurred.  Whether the hacker didn’t get a chance, or never truly meant to do so, is not clear.  Either way, it seems that her fellow Slackers at least were concerned: “don’t go to jail plz,” commented one user.

TechCrunch’s Zack Whittaker draws a clear line between this incident and Equifax, citing the lack of consequences of the latter as failing to spark the necessary fire to influence organizations to bolster their defenses.  It is true that Equifax faced relatively minimal penalty for their breach.  Investigations were not pursued, fines were light, and no legislation has since been enacted.  Major firms were not incentivized to take data protection as seriously as they should.  With nothing forcing them to act, it is no surprise when this happens again.

For their part, Capital One says they immediately fixed the vulnerability once they were aware of it, and they plan to notify all individuals affected.  It will be interesting to see where this story goes.

I just hope the suspect’s cat is ok.


By: Jonathan Weicher, post on July 31, 2019
Originally published at:
Copyright: NetLib Security