Dive Brief:
- A data breach at Capital One is affecting about 100 million people in the U.S. and another 6 million in Canada, the bank announced Monday. The data, connected to credit card applications filed between 2005 and 2019, included names, postal codes, birth dates and self-reported income. The breach also exposed credit scores, credit limits, balances, payment history and fragmented transaction history from 2016 to 2018. The bank estimates about 140,000 Social Security numbers and 80,000 linked bank account numbers to credit card customers were also compromised, according to the announcement.
- Paige Thompson, 33, a former employee of Amazon Web Services, was charged with computer fraud and abuse Monday and appeared in a Seattle court after FBI agents searched her home. Thompson accessed the data between March 12 and July 17, according to a complaint filed in court. An improperly configured firewall allegedly allowed Thompson to access the data. Capital One said it fixed the issue once it was discovered.
- After regulators handed two record fines to Equifax and Facebook for data privacy infringements, Capital One's legal ramifications are grim. The company expects incremental costs between $100 million and $150 million in 2019 because of the incident.
Dive Insight:
A tipster that Capital One described as an "external security researcher" alerted the company to the breach July 17 in an email providing a link to a GitHub account that included Thompson's name, according to the Department of Justice.
Capital One investigators determined that Thompson used The Onion Router, an anonymity tool that allows users to conceal their identities, in her hack. But authorities were tipped off when Thompson bragged about the intrusion online under the handle "erratic."
The bank said it was "unlikely that the information was used for fraud or disseminated by this individual."
Capital One sets itself apart from other financial services companies because of its public cloud-first strategy relying on Amazon Web Services, as opposed to private clouds and internal firewalls. CEO Richard Fairbank on a conference call in April, called the bank "one of the most cloud-forward companies in the world." The bank has said it plans to exit its data centers by next year, and that the move will help lower costs.
Thompson last worked at Amazon Web Services in 2016. A spokesman for the company said the data wasn’t accessed through a breach or vulnerability in that company's systems.
Equifax's 2017 data breach was also executed from an unpatched web application vulnerability. While Equifax's vulnerability had an available patch at the time of the intrusion, it's unknown whether the same was true for Capital One.
— Samantha Ann Schwartz contributed to this story.
