Lily Hay Newman, Wired:
On Monday, the FBI and the bank Capital One disclosed a data breach of 106 million credit card applications that compromised information like names, addresses, phone numbers, and dates of birth, along with 140,000 Social Security numbers, 80,000 bank account numbers, and some credit scores and transaction data. It’s one of the biggest breaches of a major financial institution ever. Four months after the incident occurred, within just 10 days of Capital One discovering it, the FBI has already made an arrest in connection with the crime.
Without a doubt, an enormous data breach, described by Capital One in the slimiest possible way in their press release:
No bank account numbers or Social Security numbers were compromised, other than:
About 140,000 Social Security numbers of our credit card customers
About 80,000 linked bank account numbers of our secured credit card customers
For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.
Only in an era of gigantic security breaches can the disclosure of over a hundred thousand Social Security Numbers and tens of thousands of bank account numbers be rounded down to none.
The Canadian acknowledgement feels like an insulting throwaway. This breach is, for me, a natural extension of a deeply irritating customer service experience. In my early twenties, I was offered what was pitched to me as a rewards and discount card for Hudson’s Bay; it was actually a credit card, despite repeated denials from the customer service representative. That credit card — which I cancelled a few minutes after realizing what it was — was provided through Capital One.
Seattle resident Paige A. Thompson, 33, was charged Monday with one count of computer fraud and abuse, according to the FBI and court records. Thompson, the criminal complaint alleges, went by the hacker name “erratic” in many online accounts and forums. She allegedly exploited a misconfigured firewall to access a Capital One cloud repository and exfiltrate data sometime in March. On April 21, the FBI says, Thompson posted the data to her GitHub account, which included her full name and resume. It is unclear whether anyone downloaded the data after she allegedly posted it, but they very well may have given that Thompson allegedly talked openly about stealing the data, even on Slack.
It’s pretty terrible that this data was exfiltrated in March and was made public in April, but wasn’t reported to Capital One until July — this intrusion apparently wasn’t detected.
Note: This post has been edited.