Skip to main content

What to know about the ‘extremely unusual’ Capital One hack

[ad_1]

The hack included around 140,000 social security numbers. (From: <a href="https://commons.wikimedia.org/wiki/File:Social_security_card_john_q_public.png">Wikipedia</a>)

The hack included around 140,000 social security numbers. (From: <a href="https://commons.wikimedia.org/wiki/File:Social_security_card_john_q_public.png">Wikipedia</a>) (Wikimedia Commons/)

Between major breaches like ones from Equifax and Marriott, you could be forgiven for having data-theft fatigue. It's that world-weary feeling of knowing that once again, the personal information of millions has been compromised.

But the news about one how one hacker managed to nab information relating to around 100 million people from Capital One is not just concerning. It’s unusual.

Here’s what you should know about the incident, which involves Paige A. Thompson, the hacker Capital One describes as a “highly sophisticated individual.” She has already been arrested by the FBI.

Who was affected by the Capital One personal data breach?

Capital One says that in the United States, 100 million people were affected. In Canada, that number is 6 million. Most of the information comes from people or businesses who applied for credit cards. That contains the kind of information you might expect to see on a credit card application—data like names, birthdays, and phone numbers. The hacker also allegedly obtained some credit card information, like credit scores.

The most serious information that Thompson allegedly acquired: the social security numbers of some 140,000 credit card customers. While that's a small percentage of the 100 million or so people affected, a leaked social security number is always a big deal.

In Canada, some 80,000 bank account numbers and 1 million social insurance numbers were also compromised.

So what happened to the stolen information?

Capital One says that they "believe it is unlikely that the information was used for fraud or disseminated by this individual." If true, that's a very good thing. In other hacks, bad actors distribute stolen credentials like usernames and passwords, and then cybercriminals use them to try to log onto other sites in a tactic called credential stuffing. (In this case, the hack did not include that kind of information, according to Capital One.)

How do I check to see if I was affected by the Capital One data breach?

Capital One says that they will let people know if their information was involved in the hack via “a variety of channels.” The bank did not reply to requests for further information on how people may find out if their data was swept up in the breach. Capital One also notes that most of the leaked information pertains to applications for “credit card products” between 2005 and this year.

How did this all happen?

According to both Capital One and this criminal complaint filed by the U.S. Attorney's Office in Washington state, the suspect, Paige Thompson, acquired the data by hacking into Amazon Web Services, or AWS.

Capital One learned about this after receiving an email on July 17 tipping them off. That email is reproduced on page 5 of the criminal complaint and references "s3 data." S3, or Amazon Simple Storage Service is, as its name implies, a data storage service that's part of AWS. The whistleblower who pinged Capital One about the data noticed that the hacker, allegedly Thompson, posted the stolen information on a service called Github.

Thompson allegedly hacked her way in due to a weakness in the firewall configuration, according to the complaint.

What makes this cybersecurity incident so peculiar?

“It’s extremely unusual,” says Shuman Ghosemajumder, the CTO of cybersecurity company Shape Security. There are several reasons: for one, the suspect appears to have been working alone, and it’s unclear what her goal was. Based on publicly available information, Ghosemajumder observes that this “individual didn’t even have a very clear motive in terms of how she was going to monetize this.”

Another factor that makes this incident atypical is that Capital One’s announcement of the breach coincided with the news that the perpetrator had already been arrested. “Usually what happens is that there is a long period of time where forensic analysis is required to create any kind of hope of attribution, and in a lot of cases they can never identify who the individuals or organizations behind a particular data breach were,” Ghosemajumder says.

This hack also appears to have originated within the U.S., which made the sleuthing work undertaken by the Justice Department—specifically FBI Special Agent Joel Martini—easier than if the hacker were overseas.

Incidents like this one, Ghosemajumder adds, make for “a powerful deterrent for U.S.-based persons to not engage in criminal activity.”



[ad_2]

Written By Rob Verger

Comments

Post a Comment

Popular posts from this blog

Ice technicians are the secret stars of the Winter Olympics

[ad_1] The emphasis of this year's two-week-long Winter Olympic Games has been placed squarely on the Olympians themselves. After all, the stated purpose of the international competition is to bring together the world’s greatest athletes in a nail-biting competition across fifteen different winter sports. But before the curlers, skiers, and skaters even arrived in Pyeongchang, South Korea, the Olympians of the ice technician world were already a few weeks deep in a competition of their own. Mark Callan of the World Curling Federation and Markus Aschauer of the International Bobsleigh and Skeleton Federation both say they’re hoping to make the best ice the Winter Olympics have ever seen. To transform the barren concrete jungle of existing tracks and arenas into an ice- and snow-covered wonderland is an enormous undertaking. And it takes a keen understanding of the physics and chemistry that keeps frozen precipitation pristine. Curling Callan has been making and maintaining ice for m
Post a Comment
Read more

In the wake of NYC terrorist attack, Trump says he's ordered increased 'Extreme Vetting'

[ad_1] President Donald Trump has requested for a heightened vetting program following Tuesday's terrorist attack in New York. @realDonaldTrump: I have just ordered Homeland Security to step up our already Extreme Vetting Program. Being politically correct is fine, but not for this! Earlier, he tweeted that the attack in lower Manhattan was committed by a "sick and deranged person." @realDonaldTrump: In NYC, looks like another attack by a very sick and deranged person. Law enforcement is following this closely. NOT IN THE U.S.A.! His remarks came after a motorist drove onto a busy bicycle path near the World Trade Center memorial and struck several people on Tuesday, leaving at least eight people dead and a dozen injured. NBC News repor
Post a Comment
Read more

How to save everything you post to social media

[ad_1] If you get the urge to revisit that cute photo you posted some time last year, you'll have to scroll through your timeline for what feels like hours to track it back down. Instead, when you share a post on social media, also save it to your phone for safe-keeping. This will not only save your social media hits for posterity, but also make them easier to find if you ever need to rediscover them. In this guide, we focus on saving photos and videos, because text posts are slightly more complicated—the only way to really preserve text from Facebook and Twitter is to download your entire archive (we'll explain how to do this below), and Instagram and Snapchat don't let you save or export your instant messages at all. When it comes to photos and videos, there's a shortcut to make sure they stay on your phone: Originally film them through a dedicated app, which will save them to a gallery. Only then should you open up a social media app to share them. However, there'
Post a Comment
Read more