Skip to main content

What to know about the ‘extremely unusual’ Capital One hack

[ad_1]

The hack included around 140,000 social security numbers. (From: <a href="https://commons.wikimedia.org/wiki/File:Social_security_card_john_q_public.png">Wikipedia</a>)

The hack included around 140,000 social security numbers. (From: <a href="https://commons.wikimedia.org/wiki/File:Social_security_card_john_q_public.png">Wikipedia</a>) (Wikimedia Commons/)

Between major breaches like ones from Equifax and Marriott, you could be forgiven for having data-theft fatigue. It's that world-weary feeling of knowing that once again, the personal information of millions has been compromised.

But the news about one how one hacker managed to nab information relating to around 100 million people from Capital One is not just concerning. It’s unusual.

Here’s what you should know about the incident, which involves Paige A. Thompson, the hacker Capital One describes as a “highly sophisticated individual.” She has already been arrested by the FBI.

Who was affected by the Capital One personal data breach?

Capital One says that in the United States, 100 million people were affected. In Canada, that number is 6 million. Most of the information comes from people or businesses who applied for credit cards. That contains the kind of information you might expect to see on a credit card application—data like names, birthdays, and phone numbers. The hacker also allegedly obtained some credit card information, like credit scores.

The most serious information that Thompson allegedly acquired: the social security numbers of some 140,000 credit card customers. While that's a small percentage of the 100 million or so people affected, a leaked social security number is always a big deal.

In Canada, some 80,000 bank account numbers and 1 million social insurance numbers were also compromised.

So what happened to the stolen information?

Capital One says that they "believe it is unlikely that the information was used for fraud or disseminated by this individual." If true, that's a very good thing. In other hacks, bad actors distribute stolen credentials like usernames and passwords, and then cybercriminals use them to try to log onto other sites in a tactic called credential stuffing. (In this case, the hack did not include that kind of information, according to Capital One.)

How do I check to see if I was affected by the Capital One data breach?

Capital One says that they will let people know if their information was involved in the hack via “a variety of channels.” The bank did not reply to requests for further information on how people may find out if their data was swept up in the breach. Capital One also notes that most of the leaked information pertains to applications for “credit card products” between 2005 and this year.

How did this all happen?

According to both Capital One and this criminal complaint filed by the U.S. Attorney's Office in Washington state, the suspect, Paige Thompson, acquired the data by hacking into Amazon Web Services, or AWS.

Capital One learned about this after receiving an email on July 17 tipping them off. That email is reproduced on page 5 of the criminal complaint and references "s3 data." S3, or Amazon Simple Storage Service is, as its name implies, a data storage service that's part of AWS. The whistleblower who pinged Capital One about the data noticed that the hacker, allegedly Thompson, posted the stolen information on a service called Github.

Thompson allegedly hacked her way in due to a weakness in the firewall configuration, according to the complaint.

What makes this cybersecurity incident so peculiar?

“It’s extremely unusual,” says Shuman Ghosemajumder, the CTO of cybersecurity company Shape Security. There are several reasons: for one, the suspect appears to have been working alone, and it’s unclear what her goal was. Based on publicly available information, Ghosemajumder observes that this “individual didn’t even have a very clear motive in terms of how she was going to monetize this.”

Another factor that makes this incident atypical is that Capital One’s announcement of the breach coincided with the news that the perpetrator had already been arrested. “Usually what happens is that there is a long period of time where forensic analysis is required to create any kind of hope of attribution, and in a lot of cases they can never identify who the individuals or organizations behind a particular data breach were,” Ghosemajumder says.

This hack also appears to have originated within the U.S., which made the sleuthing work undertaken by the Justice Department—specifically FBI Special Agent Joel Martini—easier than if the hacker were overseas.

Incidents like this one, Ghosemajumder adds, make for “a powerful deterrent for U.S.-based persons to not engage in criminal activity.”



[ad_2]

Written By Rob Verger

Comments

Post a Comment

Popular posts from this blog

Ice technicians are the secret stars of the Winter Olympics

[ad_1] The emphasis of this year's two-week-long Winter Olympic Games has been placed squarely on the Olympians themselves. After all, the stated purpose of the international competition is to bring together the world’s greatest athletes in a nail-biting competition across fifteen different winter sports. But before the curlers, skiers, and skaters even arrived in Pyeongchang, South Korea, the Olympians of the ice technician world were already a few weeks deep in a competition of their own. Mark Callan of the World Curling Federation and Markus Aschauer of the International Bobsleigh and Skeleton Federation both say they’re hoping to make the best ice the Winter Olympics have ever seen. To transform the barren concrete jungle of existing tracks and arenas into an ice- and snow-covered wonderland is an enormous undertaking. And it takes a keen understanding of the physics and chemistry that keeps frozen precipitation pristine. Curling Callan has been making and maintaining ic...
Post a Comment
Read more

Humans flourished through a supervolcano eruption 74,000 years ago (so you can make it through Tuesday)

[ad_1] About 74,000 years ago, a large chunk of a Pacific island exploded. It sent ash and other debris around the world, including to the southern tip of Africa, where it would be found by a team of international scientists and entered as the latest data point in one of the hottest debates in paleoanthropology ( I know ): Did the Toba supervolcano thrust our planet into a 1,000-year volcanic winter, thus bottle-necking animals and plants alike? Or was it just a little blip on our historic radar? That’s the contentious arena into which our intrepid researchers venture, this time with a new study in Nature establishing that humans in modern-day South Africa not only survived, but flourished after the Toba eruption. Where once was (we think, maybe) a mountain, there is now a huge caldera with a lake inside, and an island inside that. Their evidence shows that debris from the explosion landed 9,000 kilometers (5592.3 miles) away, the farthest distance traveled ever recorded for the ...
Post a Comment
Read more

These 1950s experiments showed us the trauma of parent-child separation. Now experts say they're too unethical to repeat—even on monkeys.

[ad_1] John Gluck’s excitement about studying parent-child separation quickly soured. He’d been thrilled to arrive at the University of Wisconsin at Madison in the late 1960s, his spot in the lab of renowned behavioral psychologist Harry Harlow secure. Harlow had cemented his legacy more than a decade earlier when his experiments showed the devastating effects of broken parent-child bonds in rhesus monkeys. As a graduate student researcher, Gluck would use Harlow’s monkey colony to study the impact of such disruption on intellectual ability. Gluck found academic success, and stayed in touch with Harlow long after graduation. His mentor even sent Gluck monkeys to use in his own laboratory. But in the three years Gluck spent with Harlow—and the subsequent three decades he spent as a leading animal researcher in his own right—his concern for the well-being of his former test subjects overshadowed his enthusiasm for animal research. Separating parent and child,...
Post a Comment
Read more