Now Someone Other than Capital One Knows What's In Your Wallet!

Another huge data breach. This time it’s Capital One. An ethical hacker reported the breach and it was discovered that an unauthorized party had access to a huge amount of PII. The cost could be considerable for the company although they have insurance which has a 10 million dollar deductible and coverage up to $400,000,000. PII dates back to 2005 and includes many small businesses information. Capital One issued a press release promptly explaining the nature of the breach.

Capital One believes the data was not disseminated but is still investigating. “According to WSJ a former employee of Amazon Paige A. Thompson — Twitter handle “erratic” — was charged with a single count of computer fraud and abuse in U.S. District Court in Seattle. Thompson, who the Wall Street Journal reported is a former employee of Amazon Web Services, made an initial appearance in court and was ordered to remain in custody pending a detention hearing Thursday.”

"The data breach was discovered when an ethical hacker responsibly disclosed the vulnerability to Capital One on July 17th 2019. After performing an internal investigation of whether this vulnerability had been used in the past, Capital One discovered that an unauthorized used had access to their systems and customer data between March 22nd and 23rd of 2019.

From Capitol One press release:
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Chairman and CEO. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

" Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.

Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.

The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital Oneroutinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

No bank account numbers or Social Security numbers were compromised, other than:

  • About 140,000 Social Security numbers of our credit card customers
  • About 80,000 linked bank account numbers of our secured credit card customers

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.

We will notify affected individuals through a variety of channels. We will make free credit monitoring and identity protection available to everyone affected."

Complete Press release from Capitol One

Now here is a good example of third party security, so we have another example of some kind of either misconfiguration or vulnerability in an Amazon S3 bucket (not known as of yet, i believe). I can relate as my organisation also uses AWS for its ecommerce platform but our IT guys state that Amazon themselves have no access and therefore any vulnerabilities or misconfigurations will be down to us and not as a result of any Amazon employee rogue or otherwise. But my question is, how do we truly know. My answer would be to have water tight contracts that then place legal obligations and responsibilities on all parties in the form of data protection clauses but it turns out that the contract between us is a standard set of terms and conditions we can access on their website and this includes statements of adherence to PCI DSS and ISO27001 however if we ask if we can scan beyond our platform or ask for certificates etc… we get a polite on your bike response. Oh the joys!!!

1 Like

Featured Webinars

Advanced Phishing and

Monday 1:30 PM – 2:30 PM
» Learn More
Outlook Phish Alert Button
Tuesday 1:30 PM – 2:30 PM
» Learn More
Customizing Phishing Templates, Landing Pages, & Training Notifications
Wednesday 1:30 PM – 2:30 PM
» Learn More
Active Directory Integration
(ADI) Setup

Thursday 1:30 PM – 2:30 PM
» Learn More

Friday 1:30 PM – 2:30 PM
» Learn More

Privacy Policy | Terms of Service