Capital One Gets In On The Data Breach Action, Coughs Up Info On 100 Million Customers To A Single Hacker
from the another-company-tells-customers-to-look-under-their-seats-for-free-credit-monito dept
Another day, another major data breach.
In one of the largest thefts of data from a bank, a software engineer in Seattle hacked into a server holding customer information for Capital One and stole millions of credit card applications, federal prosecutors said on Monday.
The suspect, Paige Thompson, left a trail online for investigators to follow, according to court documents in Seattle, where she was charged.
Let's go ahead and move on from the New York Times' use of the words "theft" and "stole" to refer to the exfiltration of a copy of data Capital One still holds and on to the fact that the only thing unusual about this breach is that a suspect has already been arrested and charged.
The timetable is pretty tight too, if Capital One is being honest about when it first discovered the breach.
Capital One Financial Corporation (NYSE: COF) announced today that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.
That's a big "if" -- one that's certainly called into question by the swift apprehension of a suspect. Maybe this is all on the level. Even if it is, does it matter? Companies collecting massive amounts of data are still, on the whole, pretty cavalier about data security, even as breach after horrifying breach is announced.
Given the data obtained, it almost seems like it would have been far less labor-intensive to just scour the web for a copy of the Equifax breach and download that instead. The Venn diagram of the sensitive data likely has a significant overlap.
Then there's the press release by Capital One, which inadvertently shows how little it really cares what happens to customers' sensitive information.
No bank account numbers or Social Security numbers were compromised, other than:
About 140,000 Social Security numbers of our credit card customers
About 80,000 linked bank account numbers of our secured credit card customers
Wat.
Nothing was compromised but the stuff that was compromised. This is the laziest spin I've ever seen applied to a data breach. And I've seen the federal government in action.
And hooray for American exceptionalism?
For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.
Let's not step up to congratulate the G-men for their swift apprehension of the suspect. It appears the person accused of hacking Capital One's data engaged in zero opsec, turning the difficulty level down to "Easy" for investigators.
“I’ve basically strapped myself with a bomb vest,” Ms. Thompson wrote in a Slack post, according to prosecutors, “dropping capital ones dox and admitting it.”
Online, she used the name “erratic,” investigators said, adding that they verified her identity after she posted a photograph of an invoice she had received from a veterinarian caring for one of her pets.
All told, more than 100 million people are affected by this breach. Some are more affected than others, but this puts the Capital One breach on par with the Equifax breach in terms of potential victims. Unlike Equifax, the exfiltrated information was voluntarily given to Capital One by its customers, rather than harvested en masse without explicit consent for the sole purpose of selling to creditors.
And while the data stores of Rome are burning, the US government fiddles. Meaningless settlements do nothing to encourage better security efforts and the head of the DOJ is spending his time arguing against strong encryption. It's time to retire the sunglasses. The future isn't all that bright after all.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: credit cards, data breach, hacks, paige thompson, social security numbers
Companies: capitol one
Reader Comments
The First Word
“skip to the easy part
From the Capital One Announcement:
"Was the data encrypted and/or tokenized?
We encrypt our data as a standard. Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data.
However, it is also our practice to tokenize select data fields, most notably Social Security numbers and account numbers. Tokenization involves the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data. Tokenized data remained protected."
Seems to imply access via all the proper access information not deleted from employee X and employee X is flipping off Capital One. Not a real Hack but bad access rights management.
I'm not IT(tried it - made me hate job) I have plenty of fun at hardware coding. Oops, retired,
Too much is missing from articles - why did "suicide bomb vest" comment get no questions. Payback is a bitch via scorned employees.
Subscribe: RSS
View by: Time | Thread
I need a good lawyer.
[ link to this | view in chronology ]
Re:
Now that I read the article and given the bank's admission of data breached and the non-chalant attidude about the breach, any lawyer will do.
[ link to this | view in chronology ]
Kreb's take
Krebs has a solid post on this....
https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/
[ link to this | view in chronology ]
I think you are missing something important.
It seems that an ex-Amazon employed pulled it from the data they stored on Amaon systems. AKA the bank gave Amazon the data (probably in the hopes that Amazon wouldn't look at it).
Bare minimum responsiblity would have been for the data to be stored encrypted.
(in other words do not store sensative data in the clear on third party systems.... humans have known this about as long as the idea of 'secrets' has existed)
[ link to this | view in chronology ]
Re:
Or not stored. Private data is toxic waste, and they had waste from 2005 still. Why do they need to instantly, and from anywhere, look at 14-year-old credit applications and all the private data they contain? Even if they needed the data, they'd have been better off using a filing cabinet, and then a leak would have been a few thousand records only. (And someone might have said "this is getting kind of full, let's shred the old stuff".)
[ link to this | view in chronology ]
Re: Re:
Hey, while I completely agree with you, dissing their fetishes may hurt their feelings (Or at least that the most plausable explination the doesn't reflect TOO badly on them).
[ link to this | view in chronology ]
Re: Re:
Wait a sec - old credit application data was ALSO in that set?
How the hell can you get a copy of the dataset as in a court case I know of Capital One told the court they DIDN'T have that 2005 vintage CC application data.
[ link to this | view in chronology ]
Re: Re: Re:
The NYT link ("another major data breach") says that's the data they got. Maybe Capital One didn't have all the data, maybe they lied in court, maybe the hacker's just better at finding data (or cares more) than their employees.
[ link to this | view in chronology ]
The big question
How many of this type of data exfiltration have we not heard about yet?
[ link to this | view in chronology ]
Re: The big question
to a rounding error: all of it
[ link to this | view in chronology ]
What’s in your wallet?
Hackers, apparently.
[ link to this | view in chronology ]
Are Card Issuers Subject to PCI compliance?
I don't know for sure, the PCI compliance documentation is like trying to read oatmeal but I unfortunately imagine this involves some broken laws on Capitol One's part. I'm also a (Canadian) Capitol One cardholder so guess I'll find out a little more as this goes on.
[ link to this | view in chronology ]
Re: Are Card Issuers Subject to PCI compliance?
One Rule for Me
Another for Thee.
The requirements for PCI Compliance is mostly put on the Merchant, not Issuers not Processors.
The Issuers and Processors wrote the rules.
[ link to this | view in chronology ]
Re: Re: Are Card Issuers Subject to PCI compliance?
As State Treasurer of the Green Party, i was 'forced into 'compliance' with new credit card rules with all of our card processors, who billed us fee after fee each month, a cost many times the donations we were receiving most months. I could not hold a cardholder's name & number in this computer, Bla Bla; the fine was $10.oo. No in-house Corporate attorney would bother to open a letter about a ten dollar fine assessment.
[ link to this | view in chronology ]
So, she knew enough and was clever enough to be able to hack into Capital 1 but wasn't clever enough to be able to keep her identity and whereabouts hidden? Even 'worse', she managed to allow the feds to get hold of everything they need to be able to arrest her and have sufficient evidence to indict, all within a matter of days! Yeah, right! As has happened so many times before, i can feel a set-up coming into play here!
[ link to this | view in chronology ]
Re:
Regrettably, the mine canary is always the first to be sacrificed.
Without an MBA and Certified Credentials from A Satisfactory Authority and Written Permit-sion, she is scum by default. Dostoyevsky's idiot is wise and correct, thus the name calling.
If she had in anyway disguised her breach, she would be way further up the river.
[ link to this | view in chronology ]
Re: knew enough
She knew enough to have had a job with AWS and to have had the credentials needed to steal info. Many people in IT know their specific area but have little knowledge of other areas.
She clearly didn't know much about information technology forensics. I know many people in IT who don't know as much about privacy and covering tracks as the average non-IT professional.
The only reason this looks like a setup to you is that your sexist world view can't acknowledge that women can commit extortion or steal from former employers.
[ link to this | view in chronology ]
There are other problems with Capone
Hopefully reporters can ask some questions about CapOne and the rest of CC industry.
3 separate providers having these screw-ups makes me think there is a common back end set of code.
Walmart card cancelled. 1.5 years later a new card for walmart arrives with a letter saying it has upgraded tech. It works. After paid off, cancelled.
Ebay - did not complete the CC application. 1 year 2 months later letter arrives. Your card XXXX XXXX 6543 2109 did not get mailed the proper communication the FDCPA demands so here is this information. (yes the 8 digits are fake. But why send a letter with the 1st 8 Xed out as the last digits are the hard part to guess) No ebay CC appears on credit report.
CapOne - card is cancelled by customer. 8 months after cancellation a replacement chip and pin card is send. A year and a half after that was done they started to send cash advance checks to a PO box as the old address was invalid. FDCPA violations of not sending the yearly notice along with sending to a PO Box and not having a valid physical address.
Either all 3 firms suck or there is a common backend that sucks.
[ link to this | view in chronology ]
Reminds me of Emo Philips's "No states end in 'A', except..." bit.
[ link to this | view in chronology ]
Capital One's Due Diligence might hang them...
When Capital One signed up w/ AWS, they undoubtedly performed due diligence complete with written checklists and the like. They obviously asked things such as:
1) Show us your redundant power supply
2) Show us your redundant water and cooling systems
3) Tell us what you do regarding outsiders accessing data.
4) Show us your logging facilities and what you do to keep the logs separate from the data.
etc., etc., etc.
It would be interesting to see their work papers regarding questions about how they protect data from insiders (80% of all incidents come from the inside according to the FBI). If they failed to go down the path of determining risk from inside threats, they will have "a lot of splainin" to do.
[ link to this | view in chronology ]
"she"
I don't think so, Tim....
[ link to this | view in chronology ]
skip to the easy part
From the Capital One Announcement:
"Was the data encrypted and/or tokenized?
We encrypt our data as a standard. Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data.
However, it is also our practice to tokenize select data fields, most notably Social Security numbers and account numbers. Tokenization involves the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data. Tokenized data remained protected."
Seems to imply access via all the proper access information not deleted from employee X and employee X is flipping off Capital One. Not a real Hack but bad access rights management.
I'm not IT(tried it - made me hate job) I have plenty of fun at hardware coding. Oops, retired,
Too much is missing from articles - why did "suicide bomb vest" comment get no questions. Payback is a bitch via scorned employees.
[ link to this | view in chronology ]