Updated, 7/31/19, 5:45am PT: The U.S. Department of Justice announced that it has arrested Paige Thompson, who reportedly worked at Amazon Web Services in Seattle, for hacking into Capital One's servers. Thompson was charged with computer fraud and abuse, which the Justice Department said carries a maximum punishment of five years in prison and a $250,000 fine. She "was ordered detained pending a hearing on August 1" after the FBI searched her apartment and found evidence linking her to the Capital One data breach.
The Justice Department alleged that Thompson openly discussed the Capital One hack on GitHub, Twitter, and Slack using the "erratic" alias. Thompson was also accused of stealing--or at least attempting to steal--information from several other unidentified companies. Her comments across various social platforms then indicated that she planned to publicly share the stolen data, according to the complaint, although it's not clear if she managed to share more than a few of the stolen files before she was arrested on July 29.
Original article, 7/30/19, 8:22am PT:
Capital One revealed on Monday that a data breach compromised the personal information of roughly 100 million people in the U.S. and 6 million people in Canada. The company said that credit information, transaction history, Social Security Numbers, bank account numbers and Social Insurance Numbers were all compromised as part of the "unauthorized access by an outside individual" on July 18.
Most of the compromised information came from consumers and small businesses that applied for a credit card between 2005 and 2019. Capital One said these applications collected "names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income." This was reportedly the "largest category of information accessed" during the data breach earlier this month.
But the breach didn't affect every individual equally. Capital One said the person who accessed its systems earlier this month only managed to steal the Social Security Numbers of 140,000 of its credit card customers, the bank account numbers of 80,000 people who linked their credit cards to their bank accounts and the Social Insurance Numbers of roughly 1 million of its customers in the Great White North.
More people had their "credit scores, credit limits, balances, payment history, contact information" and other customer status data compromised. Capital One said the breach also exposed "fragments of transaction data from a total of 23 days during 2016, 2017 and 2018." But that was still just a subset of the stolen information; most of the data reportedly came from the credit applications.
Capital One's Response
Capital One said it's already responded to the breach:
"Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible and that person is in custody. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate," the firm said in a statement.
Capital One said it will contact affected customers and offer free credit monitoring and identity protection services. We're interested in learning how long it plans to offer those services free of charge, especially since it doesn't think the stolen information was shared.
Just don't think this is the end of the breach's aftermath--similar breaches at the likes of Equifax took years to reach a partial resolution.