Capital One says a hacker exposed the personal data of its customers, including about 140,000 Social Security numbers and tens of thousands of bank account numbers. Tens of millions of credit card applications were also stolen. The hack comes a week after the settlement reached between Equifax and the Federal Trade Commission concerning a hack in 2017 that affected 147 million customers.
The FBI arrested Seattle software engineer Paige Thompson over the breach and charged her with computer fraud and abuse. Thompson’s online activity led investigators to her, as she allegedly boasted about the hack on social networking sites. Thompson was allegedly able to find an opening in Capital One’s systems and exploit a weakness in some misconfigured networks, according to a Wall Street Journal analysis of hundreds of Ms. Thompson’s online messages and interviews with people familiar with the investigation.
Security professionals for years have warned about that gap, which the messages and interviews suggest she used to trick a system in the cloud to uncover the sensitive credentials she needed to access the vast number of customer records. Once she found the Capital One data, she was able to download it, the people familiar with the investigation said. All, apparently, without triggering any alerts.
In online messages in accounts that prosecutors have said were Thompson’s, she claimed to have also applied those techniques to access a trove of online data from other organizations. The messages were posted in online forums. Her lawyer didn’t respond to requests for comment and she remains in custody until a bail hearing scheduled for Aug. 15.
The data breach to Capital One servers on March 22nd and 23rd exposed the personal information of nearly 106 million of the bank’s customers and applicants. The breach resulted in the hacker gaining access to personal information related to credit card applications from 2005 to early 2019 for consumers, applicants and small businesses. Capital One detected the breach on July 19. Among the personal data exposed were names, addresses, dates of birth, credit scores, transaction data, Social Security numbers and linked bank account numbers.
About 140,000 Social Security numbers and 80,000 linked bank account numbers were exposed, Capital One said. And for Canadian credit card customers and applicants, approximately 1 million Social Insurance Numbers. Capital One said, however, that no credit card account numbers or login credentials were revealed in the hack. Capital One said it will notify customers and credit card applicants whose data was exposed in the breach.