Source: PAUL J. RICHARDS / Getty
Another day, another data breach. Equifax is currently out here giving people affected by its massive data breach $125 as part of its recently announced settlement. Now, Captial One is the latest company to have its customers private information exposed.
Capital One revealed that someone hacked into its systems earlier this year and exploited a “configuration vulnerability” allowing them to decrypt and access customer data. The breach reportedly has affected over 100 million people in the United States as well as about 6 million in Canada.
In court documents, Paige Thompson was identified as the culprit behind the hack that took place on March 22nd and 23rd earlier this year. She has already been arrested by the FBI but not before she exposed the Social Security Numbers of 140,000 people and bank account numbers for 80,000. Thompson, who goes by the user handle “erratic” worked at a nameless cloud computing provider between the years 2015 to 2016 that was used by Captial One to store its data.
Paige as per the court documents exploited a “misconfigured web application firewall” and took to Github to reveal the breach. A user who saw the post alerted Captial One on July 17 using its disclosure process, the company confirmed the hack two days later.
Per the US Department of Justice:
According to the criminal complaint, THOMPSON posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data. The intrusion occurred through a misconfigured web application firewall that enabled access to the data. On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI. Cyber investigators were able to identify THOMPSON as the person who was posting about the data theft. This morning agents executed a search warrant at THOMPSON’s residence and seized electronic storage devices containing a copy of the data.
Capital One claims that 99 percent of the Social Security numbers and credit card numbers were not stolen in the breach. Despite the company’s focus on that, the damage has already been done. Thompson and her ability to obtain so much information without being detected until Capital One being alerted is seriously alarming.
Capital One says it will notify those who had their data were stolen, that includes anyone who has applied for cards between 2005 and early 2019. Can’t they hack Sallie Mae and just wipe away everyone’s student loans?
—
Photo: PAUL J. RICHARDS / Getty
Bored Hacker Exposes “Configuration Vulnerability” In Capital One’s System was originally published on hiphopwired.com
