Capital One announced Monday that a hacker stole information off of its servers and that about 100 million customers were affected. The suspect, Paige Thompson, was arrested by the FBI and is in custody. Although the company said that they don’t believe that Thompson used the stolen information maliciously, they’re still investigating the situation.
Apparently, Thompson was able to access the information because of a temporary misconfiguration of the server’s firewall that allowed her to exploit the data of about 100 million people in the United States and about 6 million people in Canada. Although the company fixed the vulnerability, that it happened at all is a major problem.
Most of the information affected by the breach was collected by Capital One between 2005 and 2019 via credit applications filled out by individuals and small businesses. According to the report:
“The data accessed included personal information from credit card applications, such as names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
Other accessed data included Social Security numbers of 140,000 people, 80,000 bank account numbers, and about 1 million Canadian customers’ social insurance numbers. According to the Capital One press release:
“Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.”
The most surprising thing about the breach is that Thompson gloated about it on social media – that’s how she got caught. Thompson, who used to work for Amazon, ran a Meetup group called “Seattle Warez Kiddies,” where she posted the updates. The FBI began tracing her posts and found Twitter and Slack messages that also pointed to her alleged hack. One of her messages said:
“I’ve basically strapped myself with a bomb vest, dropping capital ones dox and admitting it.”
If convicted, Thompson faces up to five years in prison and a $250,000 fine. Capital One apologized for the incident and said they will notify affected customers, as the company is “offering free credit monitoring and identity protection” to those affected.
Featured Image by Mediamodifier via Pixabay