Skip to main content

What to know about the ‘extremely unusual’ Capital One hack

[ad_1]

The hack included around 140,000 social security numbers. (From: <a href="https://commons.wikimedia.org/wiki/File:Social_security_card_john_q_public.png">Wikipedia</a>)

The hack included around 140,000 social security numbers. (From: <a href="https://commons.wikimedia.org/wiki/File:Social_security_card_john_q_public.png">Wikipedia</a>) (Wikimedia Commons/)

Between major breaches like ones from Equifax and Marriott, you could be forgiven for having data-theft fatigue. It's that world-weary feeling of knowing that once again, the personal information of millions has been compromised.

But the news about one how one hacker managed to nab information relating to around 100 million people from Capital One is not just concerning. It’s unusual.

Here’s what you should know about the incident, which involves Paige A. Thompson, the hacker Capital One describes as a “highly sophisticated individual.” She has already been arrested by the FBI.

Who was affected by the Capital One personal data breach?

Capital One says that in the United States, 100 million people were affected. In Canada, that number is 6 million. Most of the information comes from people or businesses who applied for credit cards. That contains the kind of information you might expect to see on a credit card application—data like names, birthdays, and phone numbers. The hacker also allegedly obtained some credit card information, like credit scores.

The most serious information that Thompson allegedly acquired: the social security numbers of some 140,000 credit card customers. While that's a small percentage of the 100 million or so people affected, a leaked social security number is always a big deal.

In Canada, some 80,000 bank account numbers and 1 million social insurance numbers were also compromised.

So what happened to the stolen information?

Capital One says that they "believe it is unlikely that the information was used for fraud or disseminated by this individual." If true, that's a very good thing. In other hacks, bad actors distribute stolen credentials like usernames and passwords, and then cybercriminals use them to try to log onto other sites in a tactic called credential stuffing. (In this case, the hack did not include that kind of information, according to Capital One.)

How do I check to see if I was affected by the Capital One data breach?

Capital One says that they will let people know if their information was involved in the hack via “a variety of channels.” The bank did not reply to requests for further information on how people may find out if their data was swept up in the breach. Capital One also notes that most of the leaked information pertains to applications for “credit card products” between 2005 and this year.

How did this all happen?

According to both Capital One and this criminal complaint filed by the U.S. Attorney's Office in Washington state, the suspect, Paige Thompson, acquired the data by hacking into Amazon Web Services, or AWS.

Capital One learned about this after receiving an email on July 17 tipping them off. That email is reproduced on page 5 of the criminal complaint and references "s3 data." S3, or Amazon Simple Storage Service is, as its name implies, a data storage service that's part of AWS. The whistleblower who pinged Capital One about the data noticed that the hacker, allegedly Thompson, posted the stolen information on a service called Github.

Thompson allegedly hacked her way in due to a weakness in the firewall configuration, according to the complaint.

What makes this cybersecurity incident so peculiar?

“It’s extremely unusual,” says Shuman Ghosemajumder, the CTO of cybersecurity company Shape Security. There are several reasons: for one, the suspect appears to have been working alone, and it’s unclear what her goal was. Based on publicly available information, Ghosemajumder observes that this “individual didn’t even have a very clear motive in terms of how she was going to monetize this.”

Another factor that makes this incident atypical is that Capital One’s announcement of the breach coincided with the news that the perpetrator had already been arrested. “Usually what happens is that there is a long period of time where forensic analysis is required to create any kind of hope of attribution, and in a lot of cases they can never identify who the individuals or organizations behind a particular data breach were,” Ghosemajumder says.

This hack also appears to have originated within the U.S., which made the sleuthing work undertaken by the Justice Department—specifically FBI Special Agent Joel Martini—easier than if the hacker were overseas.

Incidents like this one, Ghosemajumder adds, make for “a powerful deterrent for U.S.-based persons to not engage in criminal activity.”



[ad_2]

Written By Rob Verger

Comments

Post a Comment

Popular posts from this blog

Ice technicians are the secret stars of the Winter Olympics

[ad_1] The emphasis of this year's two-week-long Winter Olympic Games has been placed squarely on the Olympians themselves. After all, the stated purpose of the international competition is to bring together the world’s greatest athletes in a nail-biting competition across fifteen different winter sports. But before the curlers, skiers, and skaters even arrived in Pyeongchang, South Korea, the Olympians of the ice technician world were already a few weeks deep in a competition of their own. Mark Callan of the World Curling Federation and Markus Aschauer of the International Bobsleigh and Skeleton Federation both say they’re hoping to make the best ice the Winter Olympics have ever seen. To transform the barren concrete jungle of existing tracks and arenas into an ice- and snow-covered wonderland is an enormous undertaking. And it takes a keen understanding of the physics and chemistry that keeps frozen precipitation pristine. Curling Callan has been making and maintaining ic...
Post a Comment
Read more

With Operation Popeye, the U.S. government made weather an instrument of war

[ad_1] It was a seasonably chilly afternoon in 1974 when Senators Claiborne Pell, a Democrat from Rhode Island, and Clifford Case, a Republican from New Jersey, strode into the chambers of the Senate Committee on Foreign Relations for a classified briefing. While the meeting was labeled “top secret,” the topic at hand was rather mundane: They were there to discuss the weather. More specifically, Pell, the chairman of the now-defunct subcommittee for Oceans and International Environment, and his colleague were about to learn the true extent of a secret five-year-old cloud seeding operation meant to lengthen the monsoon season in Vietnam, destabilize the enemy, and allow the United States to win the war. Though it cycled through several names in its history, "Operation Popeye" stuck. Its stated objectives—to ensure Americans won the Vietnam War—were never realized, the revelation that the U.S. government played God with weather-altering warfare changed history. The...
Post a Comment
Read more

The fate of future endangered species could hinge on a semantic argument

[ad_1] Everyone agrees that the Pacific walrus is stressed. The large, tusked pinnipeds depend on floating sea ice to rest and give birth in the spring and summers, when the Goldilocks-sized not-too-thin, not-too-thick ice floes they require are becoming increasingly rare. But coming to a consensus on how the large marine mammals will react to that stress is less straightforward. “While the Pacific walrus will experience a future reduction in availability of sea ice ... we are unable to reliably predict the magnitude of the effect,” read the official Fish and Wildlife service finding in October 2017, explaining the decision not to list the species under the Endangered Species Act despite the service’s own 2011 assessment that it was threatened by climate change. The text continued: “We do not have reliable information showing that the magnitude of this change could be sufficient to put the subspecies in danger of extinction now or in the foreseeable future....
Post a Comment
Read more