Maybe if Capital One stopped practicing age discrimination and hired more experience IT workers (problem at numerous companies btw), it could have avoided the breach. In my opinion, this breach should result in crippling fines and C-suite execs being held criminally liable. Of course that will never happen in the U.S.
A hacker raided Capital One’s cloud storage buckets and stole personal information on 106 million credit card applicants in America and Canada.
The swiped data includes 140,000 US social security numbers and 80,000 bank account numbers, we’re told, as well as one million Canadian social insurance numbers, plus names, addresses, phone numbers, dates of birth, and reported incomes.
The pilfered data was submitted to Capital One by credit card hopefuls between 2005 and early 2019. The info was siphoned between March this year and July 17, and Capital One learned of the intrusion on July 19.
Seattle software engineer Paige A. Thompson, aka “erratic,” aka 0xA3A97B6C on Twitter, was suspected of nicking the data, and was collared by the FBI at her home on Monday this week. The 33-year-old has already appeared in court, charged with violating the US Computer Fraud and Abuse Act. She will remain in custody until her next hearing on August 1.
According to the Feds in their court paperwork [PDF], Thompson broke into Capital One’s cloud-hosted storage, believed to be Amazon Web Services’ S3 buckets, and downloaded their contents.
The financial giant said the intruder exploited a “configuration vulnerability,” while the Feds said a “firewall misconfiguration permitted commands to reach and be executed” by Capital One’s cloud-based storage servers. US prosecutors said the thief slipped past a “misconfigured web application firewall.”
Either way, someone using VPN service IPredator and the anonymizing Tor network illegally accessed the bank’s in-the-cloud systems, and downloaded citizens’ private data. This “misconfiguration” has since been fixed.
Thompson was, for what it’s worth, an engineer at Amazon Web Services, specifically on its cloud storage systems, between 2015 and 2016, and worked on various software projects in her spare time as well as running her own server-hosting outfit…