Capital One Financial Corporation admitted that more than 100 million Americans lost their data in an attack where a former Amazon.com Inc. cloud service employee, Paige Thomson, illegally accessed the organization’s server.
Even though the case does not explicitly identify the cloud service provider that stored the leaked information, some court papers mention a popular AWS product, the Simple Storage Service (S3). An article published on Bloomberg indicates that an AWS spokesperson confirmed this fact, but refuted the possibilities of any hacking incident or a vulnerability on their systems. Instead, the alleged data breach emanated from the exploitation of a misconfigured open-source Web Application Firewall protecting the AWS product deployed by the bank.
Capital One Post Incident Action
The victim immediately fixed the issue and contacted federal law enforcement after discovering the incident. According to Capital One, authorities recovered illegally accessed information, and there is no evidence that the leaked personal data was used to commit fraud or shared by the malicious actor.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened.’ Richard D. Fairbank, Capital One CEO, said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.”
Capital One Data Breach Impact
The organization revealed that the breach that took place between March 22 and 23 affected approximately 100 million individuals in the United States and 6 million Canadians. Crucial and personally identifiable information leaked during the incident include United States social security numbers, Canadian Social Insurance numbers, bank account numbers, people’s names, addresses, zip/postal codes, self-reported income, phone numbers, email addresses, credit details, and dates of birth, according to details released of the official Capital One website.
Other details include information on small businesses that applied for Capital One services between 2005 and 2019. Beyond the application information, Thomson obtained portions of transaction data for 23 days. The bank’s stock went down 5 percent in premarket trading towards the end of July.
Fortunately, credit card details and user credentials were not compromised during the incident. Moreover, the leaked Social Security numbers were less than one percent of the total data subjects processed by the firm. Capital One, in collaboration with the FBI, luckily captured the outsider who committed the crime.
All affected customers were notified through the mail. Additionally, Capital One continues to offer free credit monitoring and identity protection to the victims. An article on CNN Business reveals that the bank might incur between $100 and $150 million in costs related to the hack. The expenses include customer notifications, credit monitoring, identity theft, legal procedures, and tech cost.
TechCrunch further writes that Capital One has replaced its cybersecurity chief, four months after the massive data breach.
A Hacker or Script Kiddie?
Capital One data incident paints an image of a less careful cybercriminal. Firstly, the information posted by Thompson on GitHub contained her first, middle, and last name. Secondly, she bragged about the occurrence on social media platforms. In fact, the culprit demonstrated on Slack the steps she used to attack the bank. The Justice Department revealed that Thompson deployed special commands to steal files from Capital One directory hosted on AWS.
“I wanna get it off my server, that’s why I’m archiving all of it lol,” Thomson, going by the username ‘erratic,’ posted on Slack, as shown in the screenshot below.
Another user by the name ‘Sketchy’ added “don’t go to jail plz,” based on the sensitive nature of Thompson posts.
Unlike the norm, where hackers use pseudonyms to disguise their identities, Capital One attacker used her authentic social media accounts and names. It gave law enforcement an easy time to get hold of her after one GitHub user notified the bank about the information on the leaked data.
The FBI also revealed that Thompson had devices that referenced Amazon, Capital One, and other entities that might have been her targets. TechCrunch divulges that other victims of Thompson’s attempts or actual breaches include Vodafone, Ford, and Ohio’s Department of Transportation. The expose follows earlier reports from Forbes insinuating that the alleged hacker’s Slack posts point to further incidents on other organizations.
Notifying affected individuals
According to Capital One, affected individuals were contacted on mail. However, unlike in other incidents such as the one involving Equifax, the bank never created a website to enable customers to find out about the hacking themselves.
In a mail notification approach, Cnet.com cautions victims to be on the lookout for other malicious actors taking advantage of the situation. “Be on guard for emails and phone calls from scammers posing as Capital One or government representatives asking for credit card or account information, your Social Security number or other personal information,” states the article.
Measures you can take
On top of Capital One’s post-incident measures, individuals can take numerous steps to detect and mitigate future fraud that hackers could commit using their information.
- Credit report monitoring: monitor your credit report from credit bureaus, such as TransUnion and Equifax. Examine the reports to identify unusual entries. Besides, request for credit card and bank statements to discover unexpected transactions.
- Get a credit monitoring service: apart from the free credit monitoring service offered by Capital One, consider getting another provider that constantly screens and alerts you when unusual activities are detected on your reports
- Identity theft: create fraud alerts to get notified when your identity is used to create credit accounts. Alert relevant authorities if you suspect fraud or discover unsolicited charges and payments on your account.
- Credit freezing: freezing your credit prevents anyone from requesting loan services using your identity without your approval.
Capital One and other enterprises should focus on boosting security measures on servers to reduce the number of data breaches experienced today. On the other hand, organizations should conduct thorough evaluations on cloud service providers and other third-parties they share their data with to ensure that they implement suitable levels of security. Finally, law enforcement agencies should press stringent penalties on culprits to prevent similar data breaches from happening in the future.