From computer security blog CyberScoop:
Capital One announces massive data breach; lone suspect arrested in Seattle
Financial giant Capital One announced a large data breach Monday, with the company saying that one person accessed personal information on up to 100 million people in the United States and 6 million in Canada who had applied for or are currently considered users of the company’s credit cards.
Additionally, the FBI arrested a woman in Washington who is suspected of hacking into the company to obtain that information. Paige A. Thompson was arrested Monday and appeared in federal court in Seattle.
According to the complaint, Thompson allegedly took wide swaths of personal information from Capital One’s cloud storage instances on March 22 and March 23. The company says this information included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. The information ranged from 2005 to early 2019.
And the how?
According to the FBI, a misconfigured firewall allowed Thompson to access a list of more than 700 folders, which contained the data. Sometime shortly thereafter, Thompson allegedly posted on GitHub that she was in possession of the data.
My first thought was that it was an inside job. Bad setup on a firewall - sheesh guys... I got a really sweet job in Seattle by leaving a text message in the root directory of one of their servers. When asked what I could bring to the company, I said that I could increase the security and to look for this file on that server. Their outgoing IT guy (he was leaving to go to graduate school) left the room and came back with an ashen face. Sweet job and wonderful people.
Leave a comment