By Rob Verger | July 30, 2019
Between major breaches like ones from Equifax and Marriott, you could be forgiven for having data-theft fatigue. It’s that world-weary feeling of knowing that once again, the personal information of millions has been compromised.
But the news about one how one hacker managed to nab information relating to around 100 million people from Capital One is not just concerning. It’s unusual.
Here’s what you should know about the incident, which involves Paige A. Thompson, the hacker Capital One describes as a “highly sophisticated individual.” She has already been arrested by the FBI.
Who was affected by the Capital One personal data breach?
Capital One says that in the United States, 100 million people were affected. In Canada, that number is 6 million. Most of the information comes from people or businesses who applied for credit cards. That contains the kind of information you might expect to see on a credit card application—data like names, birthdays, and phone numbers. The hacker also allegedly obtained some credit card information, like credit scores.
The most serious information that Thompson allegedly acquired: the social security numbers of some 140,000 credit card customers. While that’s a small percentage of the 100 million or so people affected, a leaked social security number is always a big deal.
In Canada, some 80,000 bank account numbers and 1 million social insurance numbers were also compromised.
So what happened to the stolen information?
Capital One says that they “believe it is unlikely that the information was used for fraud or disseminated by this individual.” If true, that’s a very good thing. In other hacks, bad actors distribute stolen credentials like usernames and passwords, and then cybercriminals use them to try to log onto other sites in a tactic called credential stuffing. (In this case, the hack did not include that kind of information, according to Capital One.)
How do I check to see if I was affected by the Capital One data breach?
Capital One says that they will let people know if their information was involved in the hack via “a variety of channels.” The bank did not reply to requests for further information on how people may find out if their data was swept up in the breach. Capital One also notes that most of the leaked information pertains to applications for “credit card products” between 2005 and this year.
How did this all happen?
According to both Capital One and this criminal complaint filed by the U.S. Attorney’s Office in Washington state, the suspect, Paige Thompson, acquired the data by hacking into Amazon Web Services, or AWS.
Capital One learned about this after receiving an email on July 17 tipping them off. That email is reproduced on page 5 of the criminal complaintand references “s3 data.” S3, or Amazon Simple Storage Service is, as its name implies, a data storage service that’s part of AWS. The whistleblower who pinged Capital One about the data noticed that the hacker, allegedly Thompson, posted the stolen information on a service called Github.
Thompson allegedly hacked her way in due to a weakness in the firewall configuration, according to the complaint.
What makes this cybersecurity incident so peculiar?
“It’s extremely unusual,” says Shuman Ghosemajumder, the CTO of cybersecurity company Shape Security. There are several reasons: for one, the suspect appears to have been working alone, and it’s unclear what her goal was. Based on publicly available information, Ghosemajumder observes that this “individual didn’t even have a very clear motive in terms of how she was going to monetize this.”
Another factor that makes this incident atypical is that Capital One’s announcement of the breach coincided with the news that the perpetrator had already been arrested. “Usually what happens is that there is a long period of time where forensic analysis is required to create any kind of hope of attribution, and in a lot of cases they can never identify who the individuals or organizations behind a particular data breach were,” Ghosemajumder says.
This hack also appears to have originated within the U.S., which made the sleuthing work undertaken by the Justice Department—specifically FBI Special Agent Joel Martini—easier than if the hacker were overseas.
Incidents like this one, Ghosemajumder adds, make for “a powerful deterrent for U.S.-based persons to not engage in criminal activity.”