A Seattle hacker broke into a Capital One data server and stole the personal information of more than 100 million U.S. and Canadian credit applicants, federal prosecutors said. The breach is one of the largest to affect a financial institution.
On July 29, the U.S. Department of Justice (DOJ) announced that federal authorities had taken Paige Thompson, a 33-year-old software engineer, into custody after following a trail of social media posts.
According to the DOJ, Ms. Thompson illegally accessed the Capital One server through a misconfigured firewall on a web application. The database Ms. Thompson hacked was hosted by Amazon Web Services, a unit of Amazon that she used to work for.
Capital One says the stolen data affects about 100 million people in the U.S. and 6 million people in Canada. The data includes 140,000 U.S. Social Security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, and an undisclosed number of credit applicants’ names, addresses, credit limits, bank account balances, and other information submitted by consumers and small businesses as early as 2005 and as recently as 2015.
The DOJ says Ms. Thompson publicly posted about the theft on GitHub, a platform for software developers to share information and manage projects. A GitHub user who saw the post alerted Capital One on July 17 that one of its data servers had been hacked. Capital One contacted the FBI on July 19 after determining that someone had illegally accessed its data.
The FBI continued to monitor Ms. Thompson’s activities, noting that she posted her intent to “distribute” the stolen data on Twitter and other social media platforms. Investigators also noted other posts indicating that she may have hacked or planned to hack “several companies, government entities and educational institutions.”
Capital One said that it immediately fixed the vulnerability in its configuration. Reuters notes that Amazon Web Services hosts the remote data servers that companies use to store their information, but they build their own web applications on top of Amazon’s cloud data to meet their specific requirements. Amazon said there is no indication that the data breach compromised its underlying cloud services.
Capital One said it will notify individuals affected by the breach and will offer free credit monitoring and identity protection services.
Beasley Allen lawyer Archie Grubb handles cases involving fraud, including issues involving cybersecurity affecting consumers, the public and employees. If you feel you have a claim of economic loss related to the Capital One data breach or other cybersecurity issues, he would like to talk with you.