A hacker, by the name of Paige Thompson, was able to hack into Capital One’s database by exploiting a ‘configuration vulnerability’ in the company’s infrastructure. However, the hacker, a former Amazon employee, also boasted about her feat online on social media.
“I’ve basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting it,” Thompson wrote, under the “erratic” alias, in a June 18 Twitter message. “There ssns…with full name and dob” — an apparent reference to Social Security numbers.
Capital One was made aware of the hack after a ‘white hacker’ sent an email to an address set up by the company. “Hello there,” the email said, according to federal prosecutors. “There appears to be some leaked s3 data of yours in someone’s github/gist.” A link was provided to an account at GitHub, a company that allows users to manage and store project revisions, mostly related to software development.
To Capital One’s credit, it did not take them long to identify the individual and assess the damage. On July 22nd, it announced that about 100 million people in the U.S. had been impacted by the breach, and another 6 million in Canada. The illegally accessed data, which was stored on servers rented from Amazon Web Services, was primarily related to credit card applications and included personal information, like names, addresses and dates of birth, and some financial information, including self-reported income and credit scores.
Capital One said that although about 140,000 social security numbers and 80,000 linked bank account numbers were compromised in the US, it was unlikely the information was used for fraud but it would continue to investigate the breach.
The company will notify those affected and will provide them with free credit monitoring and identity protection. The Chairman, Richard Fairbank, issued a personal apology in a statement saying: “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened.” He added, “I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Ms Thompson, meanwhile, faces a maximum sentence of five years in prison and a $250,000 fine.