1. If you enjoy the forum please consider supporting it by signing up for a NES Membership  The benefits pay for the membership many times over.

  2. Dismiss Notice

Capital One Reports Data Breach Affecting 100 Million Customers

Discussion in 'Off-Topic' started by TC McQuade, Jul 29, 2019.

  1. TC McQuade

    TC McQuade NES Member

    Joined:
    Feb 6, 2014
    Messages:
    1,328
    Likes Received:
    566
    Location:
    East Coast USA
    Capital One Reports Data Breach Affecting 100 Million Customers

    Anyone think there will be more than 100 Million?

    Alleged hacker, a former employee of Amazon Web Services, arrested by federal agents in Seattle!
    And the Government thinks it's safe to let Amazon run the military's Cloud...

    Capital One Financial Corp. , the fifth-biggest U.S. credit-card issuer, said Monday that a hacker accessed the personal information of approximately 106 million card customers and applicants, one of the largest-ever data breaches of a large bank.

    Paige A. Thompson, 33 years old, was arrested in connection with the hack Monday by federal agents in Seattle, officials said. Ms. Thompson is accused of breaking through a Capital One firewall to access customer data that the bank had stored on Amazon.com Inc. ’s cloud service, according to a federal criminal complaint and people familiar with the matter.

    The bulk of the exposed data involves information submitted by customers and small businesses that applied for Capital One credit cards between 2005 and early 2019, the bank said, including addresses, dates of birth and self-reported income.

    Ms. Thompson is a former employee of Amazon Web Services Inc., according to people familiar with the matter. The criminal complaint says Ms. Thompson’s résumé showed she worked at a cloud-computing company, which the government didn’t name, as a systems engineer from 2015 to 2016.

    The breach compromised approximately 140,000 Social Security numbers and 80,000 bank account numbers, as well as some customers’ credit scores, payment histories and credit limits. It follows a breach in 2017 at credit-reporting company Equifax Inc., which exposed the data of nearly 150 million Americans and focused public and congressional attention on the sensitive information that financial companies keep on their customers.

    Paige Thompson, 33, was arrested in connection with the breach, the Justice Department said Monday. The department alleges that Thompson "posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data."

    Thompson had previously worked as a tech company software engineer and was able to gain access by exploiting a misconfigured web application firewall, the DOJ said.

    Paige Adele Thompson
    upload_2019-7-29_23-10-4.png
     
    Last edited: Jul 29, 2019

  2. The5thDentist

    The5thDentist NES Life Member NES Member

    Joined:
    Sep 27, 2013
    Messages:
    7,135
    Likes Received:
    6,035
    Location:
    1 mile from freedom
  3. TC McQuade

    TC McQuade NES Member

    Joined:
    Feb 6, 2014
    Messages:
    1,328
    Likes Received:
    566
    Location:
    East Coast USA
    IT works for me.
     
  4. Broccoli Iglesias

    Broccoli Iglesias NES Member

    Joined:
    Sep 18, 2010
    Messages:
    18,839
    Likes Received:
    6,345
    Location:
    Suckachusetts
    Great, and one of my CC was switched over to Capital One last year.

    That's probably the 5th or 6th time my info has been stolen with all these data breaches.

    Good thing I have my credit frozen. But WTF.

    It's all good guys, the Chairman is sorry. I feel a lot better now...

     
  5. M1911

    M1911 Moderator NES Member

    Joined:
    Apr 1, 2005
    Messages:
    38,859
    Likes Received:
    6,610
    Location:
    Near Framingham
    Yup. I think she is a he.
     
  6. Fixxah

    Fixxah NES Member

    Joined:
    May 1, 2008
    Messages:
    27,721
    Likes Received:
    6,517
    Location:
    Norwood mostly.
    Wood hit. With a hammer.
     
    Uzi2 likes this.
  7. Uzi2

    Uzi2 NES Member

    Joined:
    Sep 5, 2017
    Messages:
    4,304
    Likes Received:
    4,647
    Would drop in chipper.
     
  8. Super99Z

    Super99Z NES Member

    Joined:
    Aug 30, 2010
    Messages:
    3,979
    Likes Received:
    2,732
    Location:
    South Shore
    She's handsome.
     
    bauer, Wrench75 and mcb like this.
  9. Spanz

    Spanz NES Member

    Joined:
    Feb 25, 2009
    Messages:
    28,172
    Likes Received:
    12,910
    why don't they really go after these hackers. Like 400 years in jail for such a mammoth crime?
     
  10. EddieZoom

    EddieZoom NES Member

    Joined:
    Jul 20, 2014
    Messages:
    800
    Likes Received:
    439
    Location:
    SouthShore MA
    We are becoming numb to these type of security breaches...oh well, what'cha gonna do...I guess they'll issue me a new card and pay for 1 year of credit monitoring....nothing to see here, moving on.

    Companies have shown time and again they are not worthy custodians of our personal information. Choosing to store customer data in the cloud is fine but you don't get to ignore your responsibilities to protect that data regardless of where it's stored.
     
    commodon and Len-2A Training like this.
  11. Super99Z

    Super99Z NES Member

    Joined:
    Aug 30, 2010
    Messages:
    3,979
    Likes Received:
    2,732
    Location:
    South Shore
    I almost feel like there is some sort of right or maybe an amendment that might stop that.................................
     
  12. Spanz

    Spanz NES Member

    Joined:
    Feb 25, 2009
    Messages:
    28,172
    Likes Received:
    12,910
    i do not see it that way. Lets say stealing someone's identity and selling it online rates one week in jail. So one week times 100 Million counts of the crime...is 100 million weeks in prison. Perfectly legal
     
    dingbat and Broccoli Iglesias like this.
  13. Super99Z

    Super99Z NES Member

    Joined:
    Aug 30, 2010
    Messages:
    3,979
    Likes Received:
    2,732
    Location:
    South Shore
    Sounds insane for just some digital numbers on a screen, It doesn't even say anything of monetary value was taken. Just information, Google, Alexa ,Amazon they are all harvesting more information than this gentleman got, every minute of the day.
     
  14. GM-GUY

    GM-GUY NES Member

    Joined:
    May 27, 2008
    Messages:
    8,886
    Likes Received:
    3,837
    Location:
    North Central Mass
    Capital One got the Cabelas card - awesome.

    I have LifeLock though.
     
  15. headednorth

    headednorth NES Member

    Joined:
    Apr 9, 2012
    Messages:
    9,937
    Likes Received:
    6,249
    Thays the worst case of dudeface I've seen in quite a while.
     
  16. VetteGirlMA

    VetteGirlMA NES Member

    Joined:
    Feb 3, 2015
    Messages:
    2,585
    Likes Received:
    2,200
    Location:
    western mass
    Boy are there going to be a lot of major corporations evaluating their working relationships with AWS this morning. A lot of companies handed over the keys to their data centers to Amazon.
     
  17. 42!

    42! NES Life Member NES Member

    Joined:
    Apr 9, 2010
    Messages:
    5,550
    Likes Received:
    2,690
    The information has value because it can be used to access/create accounts of the people who's information was stolen. As for Google, Alexa, etc. well you agreed to that, read the fine print.
     
  18. 42!

    42! NES Life Member NES Member

    Joined:
    Apr 9, 2010
    Messages:
    5,550
    Likes Received:
    2,690
    Kind of depends on who's web application was compromised. It's more likely, given it's access to customer data, that the app was Capitol-One's and only hosted on AWS. If that was the case it really wouldn't have mattered if it was hosted on systems owned directly by Capital-One. The hosting company isn't responsible when their customers do stupid things, I see this stuff all the time.
     
    M1911 and DarkNet like this.
  19. M1911

    M1911 Moderator NES Member

    Joined:
    Apr 1, 2005
    Messages:
    38,859
    Likes Received:
    6,610
    Location:
    Near Framingham
    I doubt the problem was AWS. Far more likely, CapitalOne screwed up on their security configuration.
     
    Len-2A Training, Admin and DarkNet like this.
  20. EddieZoom

    EddieZoom NES Member

    Joined:
    Jul 20, 2014
    Messages:
    800
    Likes Received:
    439
    Location:
    SouthShore MA
    Too much to assume this sensitive customer data was/is encrypted ? If not, why not ?
     
  21. mass

    mass NES Member

    Joined:
    May 4, 2005
    Messages:
    6,122
    Likes Received:
    1,995
    Location:
    Merrimack Valley
    It's ma'am!
     
  22. M1911

    M1911 Moderator NES Member

    Joined:
    Apr 1, 2005
    Messages:
    38,859
    Likes Received:
    6,610
    Location:
    Near Framingham
    Because the CapitalOne developers were dopes?
     
  23. rali

    rali

    Joined:
    Jan 7, 2010
    Messages:
    337
    Likes Received:
    193
    Meh. AWS (really, all of the top tier cloud providers) draws a clear distinction between “security OF the cloud” and “security IN the cloud.” It makes no difference, as others have pointed out, whether a crappy app runs in a traditional data entry or in a cloud data center.
    But a LOT fewer techs and admins have access to an AWS facility than a traditional colo facility.

    I give CapOne some credit (one should excuse the phrasing); this breach was applications for credit cards, but at least they were smart enough to abstract and tokenize the SSNs. Too much other stuff not tokenized to give them a free pass, but a start. Unlike the douchenozzles at Equifax.

    Also points for not using mealy mouthed “may have been inconvenienced” language in the press release.

    R
     
    M1911 likes this.
  24. ReluctantDecoy

    ReluctantDecoy

    Joined:
    Oct 17, 2017
    Messages:
    883
    Likes Received:
    556
    Location:
    Cambridge, MA
    I agree with the jail time, but this was somewhat an inside job. An employee form the cloud storage service Cap One was using. I'm figuring that this person was basically an idiot, as the reason she got caught was because she bragged about what she did in an online forum, where someone ratted her out to Cap One. Wonder if she did it just to brag, which would be kind of better because there was no end game with the data. Little actual hacking involved if you already know the system from the inside. Almost makes me think this is worst than hacking though, as this was supposedly from a trusted vendor. So data isn't safe from hackers OR the companies that you do business with.
     
  25. BBQ.Uncle

    BBQ.Uncle NES Life Member NES Member

    Joined:
    Jan 21, 2009
    Messages:
    5,403
    Likes Received:
    3,935
    Location:
    Live Free or Die


    EE74AA28-7EC9-4EF8-A3F0-B243114085AA.gif
     
  26. M1911

    M1911 Moderator NES Member

    Joined:
    Apr 1, 2005
    Messages:
    38,859
    Likes Received:
    6,610
    Location:
    Near Framingham
    I think you are misunderstanding the situation. This was a former AWS employee. I’m sure they weren’t using their old AWS credentials, as Amazon would have disabled those on their last day.

    This was simply CapitalOne failing to lock their front door.
     
    powerman likes this.
  27. powerman

    powerman NES Member

    Joined:
    Sep 25, 2009
    Messages:
    1,035
    Likes Received:
    249
    Location:
    Eastern, MA
    and I wonder how many other "actors" walked in and out the front door with the "goods"

    I don't trust any of them personally, I will use credit to my advantage when need though.

    I was rejected with the Cabela's card swap, I didn't reapply, but I wonder if I'm in there too.

    I'm down to (2) cards (1) personnel and (1) biz and no other outstanding loans or credit. trying to disappear from the credit space.
     
  28. ReluctantDecoy

    ReluctantDecoy

    Joined:
    Oct 17, 2017
    Messages:
    883
    Likes Received:
    556
    Location:
    Cambridge, MA
    How do you figure I was misunderstanding it? AWS was Cap One's cloud storage. This former AWS employee had inside knowledge of both systems. Whether she was actually an employee or not at the time of the theft doesn't change the fact that she used inside knowledge to exploit a firewall vulnerability that would otherwise be difficult to notice without intimate knowledge of internal systems, so inside job. She didn't crack this as a disinterested third party from scratch, which I was call a true hack.
     
  29. DarkNet

    DarkNet NES Life Member NES Member

    Joined:
    May 21, 2016
    Messages:
    317
    Likes Received:
    174
    There are times that data is encrypted, and times that it is not. By design. For example it is most likely encrypted at rest (stored on the hard drive) and in transit between the application server and the the client. (this "may not" always be true, but that WOULD be an serious vulnerability). In any case, at some point the data needs to NOT be encrypted, such as being processed on the server or being displayed to the client (customer). If there is a vulnerability in the application, then an attacker could essentially pretend to be every customer, and collect their information or attack the application server and get it there.
     
  30. Broccoli Iglesias

    Broccoli Iglesias NES Member

    Joined:
    Sep 18, 2010
    Messages:
    18,839
    Likes Received:
    6,345
    Location:
    Suckachusetts
    And then what? Your data is already out there being sold over and over again to people all around the world.

    I agree, send then to prison for life. But the damage is already done.
     

Share This Page