Categories: SecurityWorkspace

Suspect Arrested In Capital One Bank Breach Affecting 106m Customers

Personal information on about 106 million credit card applicants across the US and Canada were stolen in a cyber-attack, US financial services company Capital One has revealed.

US federal authorities arrested a suspect, Paige Thompson, after she allegedly boasted of the exploit on the GitHub code hosting site.

The hack affected 100 million people in the US and 6 million in Canada, with the attacker accessing information including credit scores and balances, as well as the Social Security numbers of about 140,000 individuals, according to the bank.

The breach is believed to be one of the largest in banking history.

Arrest

Capital One said it would offer free credit monitoring and identity protection services to those affected.

Paige Thompson was charged with a single count of computer fraud and abuse in the US District Court in Seattle.  She made an initial appearance in court and is to remain in custody pending a detention hearing on Thursday.

She faces a maximum sentence of five years in prison and a fine of $250,000 (£204,713).

The FBI raided Thompson’s residence on Monday and seized digital devices, with an initial search finding files that made references to Capital One and “other entities that may have been targets of attempted or actual network intrusions”.

Thompson, 33, is a former technology company software engineer, the US Justice Department said.

Virginia-based Capital One said it became aware of the attack on 19 July and reported it to  law enforcement.

GitHub boast

According to the FBI complaint, a GitHub user had earlier emailed the bank saying that Thompson had boasted of having stolen the bank’s data.

“On July 17 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft,” stated the US attorney’s office in Washington.

In mid-June, a Twitter user with the handle “erratic” sent Capital One direct messages threatening to distribute stolen data including names, birthdates and social security numbers, the FBI said.

Capital One said it is unlikely the data was used for fraud, but that it will continue to investigate.

“I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right,” said Capital One chairman Richard Fairbank in a statement.

Firewall misconfigured

A security expert said the breach was had been the result of Capital One’s neglect of basic security practices.

“From reading their description of the breach, you would be forgiven for thinking it was an elite hacker exploiting a vulnerability,” said Immersive Labs chief executive James Hadley.

“In reality, as stated by the FBI, it was simply a poorly configured firewall that allowed the hacker in.”

Hadley said the breach showed that companies “have a lot to learn when it comes to deploying security technology effectively”.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago