Alleged culprit arrested on computer fraud charges

It’s feared that millions of Capital One customers have had their personal information compromised after a hacker gained access to the company’s server, the US financial services company announced on Monday (July 29).

The alleged hacker, identified in a criminal complaint (PDF) as Paige A. Thompson, was arrested in Seattle and charged with computer fraud and abuse, prompting Capital One’s announcement, despite the incident having first been identified on July 19.

Thompson is believed to have exploited a “specific configuration vulnerability” in the company’s infrastructure, which Capital One is said to have patched when it learned of its discovery on July 17 via its ‘responsible disclosure program’.

“We then began our own internal investigation, leading to the July 19, 2019, discovery of the incident,” Capital One said in a press statement (non-HTTPS link).

“On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers,” the company said.

“This occurred on March 22 and 23, 2019.”

Publicly available court documents (PDF) allege that a misconfigured firewall on Capital One’s cloud storage allowed the perpetrator to gain access to files, which were subsequently stolen and posted on GitHub.

100 million customers

According to Capital One, approximately 100 million individuals living in the US and six million in Canada were affected by the incident, which saw personal information stolen pertaining to customer credit card applications given to the company between 2005 though to early 2019.

This included names, addresses, email addresses, phone numbers, dates of birth, and self-reported income such as credit scores, credit limits, balances, payment history, and contact information.

In addition, 140,000 Social Security numbers were compromised in the US, and one million Social Insurance Numbers were stolen from Capital One’s Canadian customers.

It is not yet known whether any of the stolen data has been used maliciously.

“[W]e believe it is unlikely that the information was used for fraud or disseminated by this individual,” said Capital One. “However, we will continue to investigate.”

The company reiterated that no credit card account numbers or login details were compromised, and that the Social Security details of 99% of its customers were not affected.

Capital One said it plans to notify all impacted customers, and will be providing them with free credit monitoring and identity protection.

Richard Fairbank, Capital One chairman and CEO, said: “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened.

“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Thompson will attend a hearing regarding her charges on August 1, the Department of Justice said.

Capital One is one of US’ largest financial institutions, and the country's third biggest credit card issuer.

The Daily Swig has reached out to Capital One for comment.