Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:05 PM
Connect Directly

Capital One Breach Affects 100M US Citizens, 6M Canadians

The breach exposed credit card application data, Social Security numbers, and linked bank accounts, among other information.

Another massive data breach has struck the US financial sector: This time it's Capital One, which has officially confirmed a breach affecting about 100 million Americans and 6 million Canadians.

On July 29, 2019, the bank and credit card issuer reported an unauthorized intruder had gained access to several types of personal information belonging to Capital One credit card customers and people who had applied for credit cards between 2005 and early 2019. The FBI has arrested and charged one suspect, who is now in custody.

Most of the compromised information belonged to small businesses and consumers who had applied for credit cards. This included applicants' names, addresses, ZIP codes and postal codes, phone numbers, email addresses, birth dates, and self-reported income. Beyond application data, the intruder obtained portions of credit card customer information, including "status data" such as credit scores and limits, balances, payment history, and contact info. The breach also exposed pieces of transaction data from 23 days during 2016, 2017, and 2018, Capital One said in a statement.

About 140,000 Social Security numbers (SSNs) belonging to Capital One credit card customers were accessed, as well as 80,000 linked bank accounts of secured credit card customers. The attacker was able to obtain approximately 1 million Social Insurance numbers from Canadian users. Credit card numbers and login credentials were not exposed in the breach, officials report.

The unauthorized access took place on March 22-23, 2019, when Capital One says "a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure." An external security researcher reported the bug to Capital One via its Responsible Disclosure Program on July 17, 2019. The bank launched an internal investigation, which led to the discovery of this breach on July 19 and the public announcement on July 29.

Capital One stores its data in the cloud; reports indicate the attacker was able to exploit a weakness in a misconfigured web application firewall to gain access to the files stored in an Amazon Web Services (AWS) database. The bank "immediately addressed" the bug and verified there are no other instances in its environment. It altered its automated scanning to regularly look for this issue.

"This incident underscores that every component added to an organization's IT environment — even security components — can add to the attack surface and become an entry point for attackers," says Bob Rudis, chief data scientist at Rapid7. While banks have improved their ability to scan for bugs, implement access controls, and improve their overall security posture, it only takes one mistake to leave them exposed to a breach like this one.

The bank encrypts its data as a standard; however, due to the circumstances of this breach, the unauthorized access also enabled data decryption. It's also Capital One's practice to tokenize certain data fields, particularly SSNs and account numbers. Tokenized data remained protected.

About the Suspect
The FBI has arrested Paige Thompson, former software engineer with AWS, and charged her with violation of the Computer Fraud and Abuse Act. Thompson, known online under the pseudonym "erratic," will appear at a hearing on August 1.

The criminal complaint states that after Thompson stole the data from Capital One servers, she posted about it on GitHub. A GitHub user who saw her posts alerted Capital One, which contacted the FBI after confirming a breach. On July 29, agents appeared at Thompson's home with a search warrant and seized electronic storage devices containing a copy of the data.

In examining the GitHub file, Capital One determined the firewall misconfiguration allowed commands to reach and be executed by the server, which enabled an attacker to access folders or buckets of data in the bank's storage space, the criminal complaint says . Computer logs showed connections between the bank's AWS folders and the intruder, using the firewall bug.

Capital One believes it's unlikely Thompson used the data for fraud or disseminated it.

What You Should Do
Capital One will notify affected customers "through a variety of channels," the company says. It plans to make free credit monitoring and identity protection available to those affected. That said, security experts strongly urge account holders to be cautious and monitor their accounts.

"While it looks like all the appropriate measures have been taken to mitigate the risk of fraud, Capital One customers should continue to be extremely vigilant," says Leigh-Anne Galloway, Positive Technologies' cybersecurity resilience lead. "Keep an eye on your bank accounts and any other connected accounts such as email addresses and immediately flag any suspicious activity to authorities or Capital One."

Even if all the compromised data has been secured and accounted for, she adds, cybercriminals may still try to capitalize on this breach by sending phishing emails posing as bank officials or authorities. Victims should treat any incoming communication with suspicion.

As for businesses storing information in the cloud, security experts advise taking a closer look at security controls and processes related to protecting data in the cloud: "Organizations should regularly take an inventory of both what they've attached to their perimeter network(s) and — especially — regularly review the configurations of these components to ensure they are providing the minimum access necessary to facilitate key business processes," says Rudis, who also advises scheduling regular penetration tests to ensure systems aren't exposed.

Cloud security "can sometimes be less forgiving" given the power and magnitude of its storage and processing powers, adds BlackCloak CEO Dr. Chris Pierson. Data stores of the past were smaller and more distributed; today's cloud instances present new challenges. "Given the changed dynamics of cloud environments, security and infrastructure teams must be able to continually monitor, scan, and protect the data they have and hold," he says.

While many major cloud providers are building stronger security into their offerings, it's still the business's responsibility to handle risk management, monitoring, backups, and maintenance. Given that Capital One's cloud software was not properly configured, it should be a warning to businesses to ensure security teams are trained and alerted to the danger of small issues like these having big consequences. 

Capital One estimates this data breach will cost about $100 million to $150 million in 2019, with costs primarily driven by customer notifications, credit monitoring, technology, and legal support. That said, it could end up costing far more: Equifax, the credit reporting giant that suffered a data breach affecting 147 million people in 2017, will pay up to $700 million in damages.

Related Content:


Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
8/6/2019 | 12:57:25 PM
Re: Cost Aptly put, but I would say instead
"Who's in your wallet?"
User Rank: Ninja
8/1/2019 | 7:58:53 AM
Re: Sophisticated?
Man I agree with you, they saw a firewall rule on the ACL list that pointed to a TOR site. I mean how obvious can it be. In addition, she was an ex programmer who was directly involved with the project. All you have to do is whittle it down, who worked on the project, who left, who was disgruntled and who had full access to the private/secret keys? There you go - Paige Thompson.

The Geek wire stated this:
100 million people in the U.S. and 6 million people in Canada were affected in total.

 I do understand Canada was affected, but we are talking apples to oranges here when we look at the sheer number, this is astounding.

This is what CapitalOne said:
Capital One said it is "unlikely that the information was used for fraud or disseminated by this individual." No credit card account numbers or log-in credentials were compromised.

To your point, this is "Hog Wash", lol. The marketing team is working their hardest to try and clean this up, but seriously, whoever has this data and this data was on a TOR site, they are looking for "black market" purchasers to buy this data, it may not be now, but it is a matter of time, she is just the fall person.

By the way, this is what she said (Dummy):

Soper did a great job in reporting - CapitalOne Reporting

But to your point, people talk too much, she was over her head.

User Rank: Ninja
7/31/2019 | 9:20:54 AM
Re: Cost
In a nutshell:  What's in your wallet?  (Nothing after I get through with it) 
User Rank: Ninja
7/30/2019 | 2:18:42 PM
So ..... the discovery was ....
A git-hub user.  Not in Cap One, not in their staff ---- nope, somebody totally outside the firm noticed data and was kind enough to make a phone call.  Gee, isn't that special as THE CHURCH LADY used to say.  Of course the thief also bragged about it on social media - also stupid.  But plenty of that at Cap One apparently.  NOBODY NOTICED?????
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).