By Matthew Dove
Credit card giant Capital One has admitted to suffering from one of the largest data breaches in the industry’s history.
In a statement released yesterday, the firm revealed that personal details of around 106 million individuals in the US and Canada have been stolen. The breach is believed to be the work of a lone hacker and is a galling reminder of the structural fragility of some of our most influential institutions.
Capital One explained how the hacker was able to “exploit” a “configuration vulnerability” in the company’s tech stack. It’s believed that 100 million American users were affected as well as a further 6 million in Canada. Roughly 140,000 US social security numbers and 80,000 linked bank account numbers were compromised as a result of the hack.
The stolen information includes names, addresses and phone numbers of people who applied for Capital One products. However, no credit card account numbers are thought to have been accessed.
It’s believed that 100 million American users were affected as well as a further 6 million in Canada.
A lone suspect, Paige Thompson, 33, is already in police custody following her arrest on Monday. Reportedly, Thompson was detained by authorities having boasted about her involvement in the hack via a post online. A software engineer from Seattle, Thompson is being held on charges of computer fraud and abuse.
According to the US attorney’s office in Washington, Thompson’s bragging was brought to Capital One’s attention by a concerned user of a chat forum.
“On July 17 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft.”
Nonetheless, the hacker’s nefarious activities weren’t formally identified until 19 July and it was a further 10 days before the credit firm deigned to issue a press release.
Richard D. Fairbank, Chairman and CEO had this to say;
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened… I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right.”
The company’s extended musings on the incident raise as many questions as they address. For a start the breach wasn’t detected internally.
Why not?
As Capital One freely admits;
“The configuration vulnerability was reported to us by an external security researcher through our Responsible Disclosure Program.”
Secondly, despite the fact that, “We encrypt our data as a standard. Due to the particular circumstances of this incident, the unauthorised access also enabled the decrypting of data.”
How?
At March’s Senate hearing into the 2017 Equifax data breach, Sen. Tom Carper decried what he saw as a “cultural indifference to cybersecurity” at the credit scoring goliath. The hearing’s findings also lead Peter White of Rethink Technology Research to assert;
“security is a “grudge” purchase, during periods when things are not being hacked, finance guys cut funds to support proper process.”
With this latest clanger set to cost Capital One a sizeable “$100 to $150 million in 2019” (according to its own estimates), one wonders how long cybersecurity will remain a “grudge purchase” for the institutions charged with the protection of our most personal information.
