Capital One gets Capital Done: Hacker swipes personal info on 106 million US, Canadian credit card applicants

More than 1 million social numbers nicked among other details – FBI collars, charges software engineer

Capital One bank card from Shutterstock

A hacker raided Capital One's cloud storage buckets and stole personal information on 106 million credit card applicants in America and Canada.

The swiped data includes 140,000 US social security numbers and 80,000 bank account numbers, we're told, as well as one million Canadian social insurance numbers, plus names, addresses, phone numbers, dates of birth, and reported incomes.

The pilfered data was submitted to Capital One by credit card hopefuls between 2005 and early 2019. The info was siphoned between March this year and July 17, and Capital One learned of the intrusion on July 19.

Seattle software engineer Paige A. Thompson, aka "erratic," aka 0xA3A97B6C on Twitter, was suspected of nicking the data, and was collared by the FBI at her home on Monday this week. The 33-year-old has already appeared in court, charged with violating the US Computer Fraud and Abuse Act. She will remain in custody until her next hearing on August 1.

According to the Feds in their court paperwork [PDF], Thompson broke into Capital One's cloud-hosted storage, believed to be Amazon Web Services' S3 buckets, and downloaded their contents.

The financial giant said the intruder exploited a "configuration vulnerability," while the Feds said a "firewall misconfiguration permitted commands to reach and be executed" by Capital One's cloud-based storage servers. US prosecutors said the thief slipped past a "misconfigured web application firewall."

Either way, someone using VPN service IPredator and the anonymizing Tor network illegally accessed the bank's in-the-cloud systems, and downloaded citizens' private data. This "misconfiguration" has since been fixed.

Thompson was, for what it's worth, an engineer at Amazon Web Services, specifically on its cloud storage systems, between 2015 and 2016, and worked on various software projects in her spare time as well as running her own server-hosting outfit, Netcrave.

In a webpage dedicated to the hack, Capital One said on Monday:

Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.

Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised. The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019.

This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.

Capital One said it is "unlikely" the stolen information was shared with anyone else before the suspected hacker was cuffed. Interestingly enough, the FBI said certain info, notably the social security and insurance numbers, were tokenized or encrypted, whereas Capital One reckoned at least some were compromised as a result of the theft. This suggests most, though not all, of the numbers were scrambled and useless to outsiders. The credit card biz went on say:

Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

* Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information

* Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

No bank account numbers or Social Security numbers were compromised, other than:

* About 140,000 Social Security numbers of our credit card customers

* About 80,000 linked bank account numbers of our secured credit card customers

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.

Affected customers will be alerted to the cyber-raid by Capital One staff, we're told, and offered the usual free identity theft and credit monitoring protection. An FAQ is available here for more details.

Arrest

It is alleged Thompson bragged about her hack to pals on Slack, and spilled the beans in a public GitHub Gist post – a move that led the Feds literally to her front door with a search warrant.

According to Uncle Sam, a GitHub user spotted erratic's Gist post containing information about Capital One's systems, and privately emailed the financial giant to warn it may have been cyber-plundered by miscreants. Erratic's Gist listed details of some 700 Capital One cloud buckets, as well as commands to access then, the FBI claimed, and when the bank's techies tested these commands, they found they were indeed able to retrieve credit card applicants' data.

Specifically, one command obtained credentials for the next two commands, which listed Capital One's S3 buckets, and fetched their contents. A peek inside Capital One's system logs showed those commands were used earlier this year by someone outside the bank, via Tor and IPredator.

bank robbery

Solid password practice on Capital One's site? Don't bank on it

READ MORE

Two days later, Capital One called in the FBI, which alleged they were able to, from the GitHub Gist post, identify Thompson from her GitHub account because it used her full real name as the account name: paigeadelethompson.

This name led investigators to her home address via a search of Washington state's driving license database. Her GitHub account also linked to her GitLab profile that hosted her systems engineer resume, which contained her address and full name. Her GitHub account was also accessed by the same IPredator IP addresses as those used to break into Capital One's S3 buckets, it is claimed.

Thompson also, it is alleged, told a friend via private message, "I've basically strapped myself with a bomb vest, fucking dropping Capital Ones [sic] dox and admitting it. I wanna distribute those buckets I think first. Theres [sic] SSNs... with full name and DoB." Said friend tipped off Capital One, the FBI said.

When agents rifled through her belongings at her Seattle home, they found storage devices containing the stolen Capital One data, it is claimed. She was promptly arrested and charged.

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Capital One CEO and chairman Richard Fairbank.

"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

Brian Moran, US Attorney of the western district of Washington state, added: “Capital One quickly alerted law enforcement to the data theft – allowing the FBI to trace the intrusion. I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.” ®

Sponsored: Your Guide to Becoming Truly Data-Driven with Unrivalled Data Analytics Performance

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019