Capital One: Hackers steal 100 million Americans’ data

Credit: BBC

A hacker who obtained the names, addresses, phone numbers and birth dates of Capital One customers in the US and Canada has been arrested by the FBI.

Over 100 million Americans have had data stolen by a hacker who obtained credit scores, balances and Social Security numbers of about applicants.

Virginia-based Capital One claimed to have discovered the hack on July 19, immediately seeking help from law enforcement. The FBI complaint details that the bank was emailed two days prior, notifying them that leaked data had appeared on GitHub. A month ago, a Twitter user using the pseudonym “erratic” sent Capital One direct messages threatening to leak the bank’s data.

Paige A Thompson, the user behind “erratic”, was charged with a single count of computer fraud and abuse, in Seattle. Thompson has made a first appearance in court and is in custody pending detention later this week. Thompson’s residence was raided on Monday, with digital devices seized. The FBI conducted an initial search, which found files referencing Capital One and “other entities that may have been targets of attempted or actual network intrusions”.

Capital One claimed the hacker “exploited” a “configuration vulnerability” in their infrastructure. “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Chairman Richard Fairbank in a statement. “I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Thompson faces a maximum prison sentence of five years and a $250,000 (£204,713) fine.

Is it easier to hack data these days?

Like Tinder, texting and tweeting, hacking has become a mainstream tech topic as the internet as developed. No longer a concern reserved for computer geeks and IT guys, hacking is a mainstream worry: one that can affect huge swathes of people who otherwise have no more than a passing interest in the web.

The truth is that the world is online. We bank online, make friends online, our post has been redirected to virtual inboxes over the years and a lot of our shopping is conducted on Amazon. With so many accounts and profiles on websites and apps – and with every business you associate with storing their data somewhere accessible – hacking opportunities are rife.

The Capital One scare is not an isolated case. “Although some of the information in those applications (such as Social Security numbers) has been tokenised or encrypted, other information including applicants’ names, addresses, dates of birth and information regarding their credit history has not been tokenised,” the FBI warned of the situation. It is frighteningly easy to obtain such sensitive information unencrypted.

A server can host dozens of websites. That’s potentially limitless data harvested all from one website with open ports and the option to upload a profile picture.

Last year, Cambridge Analytica infamously accessed 87 million Facebook users’ data illegally. Also last year, Facebook-owned WhatsApp, admitted that hackers were able to install spyware on Android and Apple devices. Over 57 million customers of Uber had data hacked in October 2016 and a year later, Yahoo confirmed that all 3 billion of its user accounts were breached.

When hacking a website, for example, hackers look for open ports. From there, they can determine how many files are stored on the webserver. File uploads on sites are one way that attackers can find a way in: unrestricted file upload can lead to hackers performing a complete system takeover, an overloaded file system or database or even simple defacement.

A server can host dozens of websites. Hackers can find a way into a database with root privileges without too much fuss. That’s potentially limitless data harvested all from one website with open ports and the option to upload a profile picture

What happens next for Capital One?

Capital One customers across the pond are being advised to change all their passwords immediately. Checking credit cards and banking statements for suspicious activity is another given.

Capital One’s headquarters in Tysons, Virginia / Credit: Bisnow

However, that’s just the beginning for a bank who may have lost the trust of a lot of their users. Capital One has guessed that the incident will cost $100 million to $150 million in the short term. The data was posted for almost three months; Capital One’s stock was down 5% in premarket trading on Tuesday.

Despite the scare, the bank has claimed that “no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised”.

Luke Conrad

Technology & Marketing Enthusiast

Ab Initio partners with BT Group to deliver big data

Luke Conrad • 24th October 2022

AI is becoming an increasingly important element of the digital transformation of many businesses. As well as introducing new opportunities, it also poses a number of challenges for IT teams and the data teams supporting them. Ab Initio has announced a partnership with BT Group to implement its big data management solutions on BT’s internal...

WAICF – Dive into AI visiting one of the most...

Delia Salinas • 10th March 2022

Every year Cannes held an international technological event called World Artificial Intelligence Cannes Festival, better known by its acronym WAICF. One of the most luxurious cities around the world, located on the French Riviera and host of the annual Cannes Film Festival, Midem, and Cannes Lions International Festival of Creativity. 

Bouncing back from a natural disaster with resilience

Amber Donovan-Stevens • 16th December 2021

In the last decade, we’ve seen some of the most extreme weather events since records began, all driven by our human impact on the plant. Businesses are rapidly trying to implement new green policies to do their part, but climate change has also forced businesses to adapt and redefine their disaster recovery approach. Curtis Preston,...