Capital One disclosed that it suffered a data breach exposing the personal information of around 106 million people due to a configuration vulnerability.
The big picture
Capital One became aware of the incident on July 17, 2019, after an ethical hacker responsibly disclosed the vulnerability to Capital One. Upon which, Capital One launched an internal investigation on the vulnerability and found out that an unauthorized third-party gained access to their systems and customer data between March 22, 2019, and March 23, 2019.
“Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible and that person is in custody,” Capital One said in a security notice.
What information was compromised?
The exposed information includes the personal and financial information of consumers and small businesses who applied for credit card products between 2005 and 2019. This information includes:
What actions were taken?
“We are very thankful to the FBI's Seattle Field Office and Special Agent Joel Martini, to U.S. Attorney Brian T. Moran, and to Assistant U.S. Attorneys Steven Masada and Andrew Friedman of the Western District of Washington for the speed with which they responded to this incident and apprehended the responsible party,” Capital One said.
Arrest of the suspect
A former Seattle technology company software engineer, Paige A. Thompson aka erratic, 33 has been arrested by the FBI for stealing customer data from Capital One.
Upon discovery on July 19, 2019, Capital One notified the FBI. Cyber investigators identified THOMPSON as the person who posted about the data theft on Github. The FBI agents then executed a search warrant at THOMPSON’s residence and seized electronic storage devices containing a copy of the data.
“According to the criminal complaint, THOMPSON posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data. The intrusion occurred through a misconfigured web application firewall that enabled access to the data. On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft,” DOJ said in a press release.