It’s hard to imagine anything lucky about a data breach affecting more than 100 million customers. But Capital One got lucky because the Seattle woman accused of accessing the bank’s data was apparently as clueless as she was ruthless.
Paige Thompson, a Seattle tech worker arrested in connection with the data theft, went on social media to brag about her exploits. Had she not, the damage could have been far worse for Capital One and its customers; the hack did not compromise credit card account numbers or log-in credentials, Capital One said.
“We are lucky in this instance to have an agent who while technically savvy was relatively immature and spread the news over social media, leaving her tracks open for discovery,” said Arjun Sethi,, a partner and vice chair of A.T. Kearney's Digital Transformation Practice.
According to U.S. Justice Department records, Thompson “posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data. … On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft.”
Sethi said by bragging about the intrusion as the FBI accuses her of doing, Thompson may have helped Capital One and other financial institutions close a major flaw in their security systems.
Investigators allege that Thompson stole the data—belonging to more than 100 million U.S. customers and 6 million in Canada—by intruding into Capital One’s data storage via a misconfigured web application firewall hosted on a cloud server. While the court records don’t say which one, several published reports claim it belonged to Amazon.
Capital One officials say they learned that the intrusion took place on March 22 and 23 and that the affected data included personal information from people who had applied for credit card products and the Capital One credit card between 2005 and early 2019.
This information included personal information Capital One “routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income,” according to the company website.
Beyond the credit card application data, the hacker also obtained portions of credit card customer information, including status data (credit scores, credit limits, balances, payment history and contact information) and transaction fragments (from a total of 23 days ranging between 2016 and 2018).
All told, about 140,000 Social Security numbers and 80,000 linked bank account numbers of secured credit card customers were accessed from U.S. customers, along with about one million Social Insurance numbers of Canadian customers, according to Capital One.
Could the hack happen again?
On the one hand, Capital One had some level of post-hack protection. Because select data fields such as Social Security and account numbers were tokenized—in other words, substituted with a cryptographically generated replacement—they remained protected.
But Sethi contends the breach shows that Capital One’s “overall cyber architecture and resilience planning seems to have been questionable and sub optimal.”
If an application can potentially provide access to millions of personal data points and furthermore is hosted on the cloud, “then such an app should be categorized as ‘high risk’ and cannot be behind just one firewall which, if poorly configured, compromises the app and the entire underlying data.”
The chances of another such breach are significant, Sethi adds: “Vulnerability is high as the tools and techniques available are even more sophisticated and easily available,” he said.
The takeaway for banks is to ensure that security teams remain “extra vigilant in ensuring systems—both legacy and new—can integrate seamlessly without opening up vulnerabilities,” says Stuart Reed, vice president of product and marketing at the UK-based cyber security firm Nominet.
“Having systems in place on the network to identify anomalous behavior at an early stage can mean the impact of an attack is reduced,” Reed says.
Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, agrees.
“Cloud storage is an increasingly attractive option for large corporations because it is cheaper than on-premise,” Galloway says. “But attacks like this show that organizations aren’t adopting security with the same vigor. And they should, otherwise the financial cost of penalties and lawsuits will vastly outweigh any IT savings.”
Tallying the fallout ‘may take years’
Though contained in the nick of time, the Capital One breach will cost between $100 to $150 million in 2019, bank officials say. That’s largely driven by customer notifications, credit monitoring, technology costs, and legal support.
While the bank has insurance for certain cyberattacks, it’s subject to a $10 million deductible and standard exclusions and carries a total coverage limit of $400 million, according to the company website.
What’s more, it may take years before those customers know the full extent of the problems they will face. “The impact to consumers is unclear in the short term,” Michael Clauser, global head of data and trust at Access Partnership, a global public policy firm serving the tech sector.
Data breaches “can lead to anything from petty identity and credit card theft to public embarrassment,” said Clauser a one-time presidential appointee in the Pentagon, national security aide in the U.S. House of Representatives, and Navy Reserve veteran.
In other words, imagine this information in the hands of foreign intelligence. “It can be used to spot, assess, and recruit spies, or for other manipulative activities that may not be apparent for years,” Clauser says. “In the long run, consumers also suffer because every time there is a breach, a government somewhere in the world decides enough is enough and, by golly, the solution is more laws and more regulations.”
Capital One may have gotten lucky. But CreditCards.com industry analyst Ted Rossman recommends customers not rely on chance—and do their own diligence.
“The number one thing consumers should do to protect their identities is to freeze their credit by contacting Equifax, Experian and TransUnion,” Rossman says. “It’s free, quick and easy. You can do it online or over the phone. … Unfortunately, only about 1 in 4 U.S. adults have frozen their credit.”
Also, “change your passwords regularly,” Rossman advises. “Use a password aggregator such as LastPass to ensure strong, unique passwords for all of your logins. We found that more than eight in ten U.S. adults reuse passwords, which is a major security vulnerability.”
Meanwhile, there’s no word on whether the alleged hacker had password protection or inadvertently hacked her own account—though she seemingly lacked a firewall between her illegal feat and the foot in her mouth.
Want more Banking Strategies? Sign up for our free newsletter!
Howard Altman oversees coverage of issues affecting troops and their families as managing editor of Military Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, the Philadelphia Inquirer, New York Observer, Newsday and the Tampa Bay Times.