A hacker who obtained the names, addresses, phone numbers and birth dates of Capital One customers in the US and Canada has been arrested by the FBI.
Over 100 million Americans have had data stolen by a hacker who obtained credit scores, balances and Social Security numbers of about applicants.
Virginia-based Capital One claimed to have discovered the hack on July 19, immediately seeking help from law enforcement. The FBI complaint details that the bank was emailed two days prior, notifying them that leaked data had appeared on GitHub. A month ago, a Twitter user using the pseudonym “erratic” sent Capital One direct messages threatening to leak the bank’s data.
Paige A Thompson, the user behind “erratic”, was charged with a single count of computer fraud and abuse, in Seattle. Thompson has made a first appearance in court and is in custody pending detention later this week. Thompson’s residence was raided on Monday, with digital devices seized. The FBI conducted an initial search, which found files referencing Capital One and “other entities that may have been targets of attempted or actual network intrusions”.
Capital One claimed the hacker “exploited” a “configuration vulnerability” in their infrastructure. “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Chairman Richard Fairbank in a statement. “I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Thompson faces a maximum prison sentence of five years and a $250,000 (£204,713) fine.
Is it easier to hack data these days?
Like Tinder, texting and tweeting, hacking has become a mainstream tech topic as the internet as developed. No longer a concern reserved for computer geeks and IT guys, hacking is a mainstream worry: one that can affect huge swathes of people who otherwise have no more than a passing interest in the web.
The truth is that the world is online. We bank online, make friends online, our post has been redirected to virtual inboxes over the years and a lot of our shopping is conducted on Amazon. With so many accounts and profiles on websites and apps – and with every business you associate with storing their data somewhere accessible – hacking opportunities are rife.
The Capital One scare is not an isolated case. “Although some of the information in those applications (such as Social Security numbers) has been tokenised or encrypted, other information including applicants’ names, addresses, dates of birth and information regarding their credit history has not been tokenised,” the FBI warned of the situation. It is frighteningly easy to obtain such sensitive information unencrypted.
A server can host dozens of websites. That’s potentially limitless data harvested all from one website with open ports and the option to upload a profile picture.
Last year, Cambridge Analytica infamously accessed 87 million Facebook users’ data illegally. Also last year, Facebook-owned WhatsApp, admitted that hackers were able to install spyware on Android and Apple devices. Over 57 million customers of Uber had data hacked in October 2016 and a year later, Yahoo confirmed that all 3 billion of its user accounts were breached.
When hacking a website, for example, hackers look for open ports. From there, they can determine how many files are stored on the webserver. File uploads on sites are one way that attackers can find a way in: unrestricted file upload can lead to hackers performing a complete system takeover, an overloaded file system or database or even simple defacement.
A server can host dozens of websites. Hackers can find a way into a database with root privileges without too much fuss. That’s potentially limitless data harvested all from one website with open ports and the option to upload a profile picture
What happens next for Capital One?
Capital One customers across the pond are being advised to change all their passwords immediately. Checking credit cards and banking statements for suspicious activity is another given.
However, that’s just the beginning for a bank who may have lost the trust of a lot of their users. Capital One has guessed that the incident will cost $100 million to $150 million in the short term. The data was posted for almost three months; Capital One’s stock was down 5% in premarket trading on Tuesday.
Despite the scare, the bank has claimed that “no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised”.