Capital One Breach Exposes Data of 106 Million Customers

A hacker accessed the personal data of about 106 million credit card customers and applicants of Capital One Financial, the fifth-largest credit card company in the U.S., making it one of the biggest such breaches of a large bank. Federal authorities arrested 33-year old Paige Thompson, who is accused of breaking through the bank’s firewall to access data stored on Amazon’s cloud service. Most of those exposed by the hack were customers and small businesses who applied for credit cards between 2005 and early 2019.

The Wall Street Journal reports that Thompson, a former employee of Amazon Web Services, acquired addresses, dates of birth and self-reported income as well as about 140,000 Social Security numbers, 80,000 bank account numbers, and some credit scores, payment histories and credit limits.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Capital One chair/chief executive Richard Fairbank. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

The criminal complaint states that Thompson “intended for the data to be distributed online” although it is unlikely that she got that far. Nonetheless, “the incident is expected to cost approximately $100 million to $150 million.” Thompson, who is charged with one count of computer fraud and abuse, is presumed to have accessed the bank data via a “misconfigured firewall” and subsequently “boasted online about her alleged theft of the data, which allowed law enforcement to quickly identify her.”

Although the breach took place in March, it wasn’t until July that an ethical hacker emailed Capital One, which then alerted law enforcement. Capital One, says WSJ, has been “an enthusiastic adopter of the cloud for data storage.”

TechCrunch reports that “Capital One’s breach was inevitable, because we did nothing after Equifax.” Equifax just paid more than $575 million to settle a data breach it “hid from the public for several months — two years prior … [and] faced zero fallout until its eventual fine.” Equifax chief executive Richard Smith retired, rather than be fired, and kept his “substantial pension packet.”

An investigation “launched by the former head of the Consumer Financial Protection Bureau … declined to pursue the company … [and] the FTC took its sweet time to issue its fine — which amounted to about 20 percent of the company’s annual revenue for 2018.” In other words, Equifax “got off lightly,” and there has been no subsequent legislation.

Now, it’s happened again and, “without a congressional intervention, Capital One is likely to face largely the same rigmarole as Equifax did.” “Fool us twice, shame on the credit companies for not properly taking action in the first place,” says TechCrunch. “The Equifax incident should have sparked a fire under the credit giants … it was always going to happen again unless there was something to force the companies to act.”

Thompson faces a five-year prison sentence and a fine of up to $250,000.

Related:
For Big Banks, It’s an Endless Fight With Hackers, The New York Times, 7/30/19
Capital One Breach Casts Shadow Over Cloud Security, The Wall Street Journal, 7/30/19