Capital One which is the fifth-largest U.S. credit-card issuer and banking institution was affected by a data breach and the personal information of more than 100 million credit card applicants in the United States and 6 million in Canada were exposed.
The data breach happened on March 22nd and 23rd and the attackers managed to steal information of customers who had applied for a credit card between 2005 and 2019.
But the security incident came to light after July 19 when a hacker posted information about the theft on her GitHub account.
In relation to the breach, the FBI arrested Paige Thompson a.k.a erratic, 33, a former Amazon Web Services software engineer who worked for a Capital One contractor from 2015 to 2016. Electronic storage devices containing a copy of the stolen data were also seized.
Thompson was charged with computer fraud and abuse, which carries up to five years in prison and a $250,000 fine. A hearing has been scheduled for August 1, 2019.
As per the court documents, Thompson allegedly exploited a misconfigured firewall on Capital One’s Amazon Web Services cloud server and stole more than 700 folders of data stored on that server in March.
Capital One quickly alerted law enforcement to the data theft — allowing the FBI to trace the intrusion.
Amazon Web Services were however not compromised as the alleged hacker gained access to the cloud server due to Capital One’s misconfiguration and not through vulnerability in Amazon’s infrastructure.
The compromised data includes around 140,000 Social Security numbers and 80,000 bank account numbers linked to American customers, and 1 million Canadian Social Insurance numbers.
Some of the customers’ names, addresses, dates of birth, credit scores, credit limits, balances, payment history, and contact information were also compromised in the security breach.
Capital One assured all the customers that “no credit card account numbers or log-in credentials were compromised” and that more than 99% of the Social Security numbers that the company has on file weren’t affected.
The company immediately fixed the configuration vulnerability exploited by the hacker and promptly began working with federal law enforcement. All the affected customers will be notified and will be provided free credit monitoring services.