Capital One Reports Data Breach Affecting 100 Million Customers, Applicants

Source: WSJ | Published on July 30, 2019

BEC attacks

Capital One Financial Corp., the fifth-largest U.S. credit-card issuer, said Monday that a hacker accessed the personal information of approximately 106 million card customers and applicants, one of the largest-ever data breaches of a big bank.

Paige A. Thompson, 33 years old, was arrested in connection with the hack Monday by federal agents in Seattle, officials said. Ms. Thompson is accused of breaking through a Capital One firewall to access customer data that the bank had stored on Amazon.com Inc. ’s cloud service, according to a federal criminal complaint and people familiar with the matter.

The bulk of the exposed data involves information submitted by customers and small businesses that applied for Capital One credit cards between 2005 and early 2019, the bank said, including addresses, dates of birth and self-reported income.

Ms. Thompson is a former employee of Amazon Web Services Inc., according to people familiar with the matter. The criminal complaint says Ms. Thompson’s résumé showed she worked at a cloud-computing company, which the government didn’t name, as a systems engineer from 2015 to 2016.

A spokesman for Amazon didn’t immediately respond to a request for comment.

The breach compromised approximately 140,000 Social Security numbers and 80,000 bank account numbers, as well as some customers’ credit scores, payment histories and credit limits. It follows a breach in 2017 at credit-reporting company Equifax Inc., which exposed the data of nearly 150 million Americans and focused public and congressional attention on the sensitive information that financial companies keep on their customers.

The Capital One breach could prove to be damaging if criminals use the stolen information to apply for credit in the names of the most creditworthy or affluent people. Unlike most large U.S. card issuers, Capital One customers also include many subprime consumers.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, the bank’s chairman and chief executive. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Although the bank said it is unlikely the stolen information was disseminated or used for fraud, the criminal complaint alleges Ms. Thompson intended for the data to be distributed online. The bank said that its investigation continues and that the incident is expected to cost approximately $100 million to $150 million.

Ms. Thompson, who is charged with one count of computer fraud and abuse, allegedly accessed the bank’s data through a misconfigured firewall.

A lawyer for Ms. Thompson, who appeared in Seattle federal court for an initial hearing, didn’t immediately respond to a request for comment.

Under the username “erratic,” Ms. Thompson boasted online about her alleged theft of the data, which allowed law enforcement to quickly identify her, according to prosecutors.

The breach occurred in late March, the bank said. This month, an ethical hacker—a person who hacks into a network to test its security—emailed Capital One about the leak of its data, and the bank alerted law enforcement July 19.

Among large banks, Capital One has been an enthusiastic adopter of the cloud for data storage. In its April earnings call, Mr. Fairbank talked about the bank’s technology transformation over the past 25 years. “What we’re doing at Capital One is building a technology company that does banking, instead of a bank that just uses technology,” he said.

The bank has also been public in its embrace of Amazon Web Services. It has closed data centers and shifted those activities to Amazon, a process it expects to complete fully in 2020. The bank’s executives have been featured speakers at Amazon conferences and said that the firm’s use of the cloud has helped the bank handle spikes in computing-power needs, such as credit-card purchases on Black Friday, and roll out products faster to customers.

Banks have moved cautiously to the cloud, partly because of security concerns and the need to keep certain customer and transaction data walled off.

Older mainframe systems, often patched together as a result of bank mergers, can make such a move a major undertaking.