Captain they breached the CAPITAL!!!

[AlexOak]

If you are a cardholder with Capital one then I got some bad news for you bud and you too Canadian friend. 

 

Spoiler

In one of the biggest-ever data breaches, a hacker gained access to more than 100 million Capital One customers' accounts and credit card applications earlier this year.

Paige Thompson is accused of breaking into a Capital One server and gaining access to140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people's names, addresses, credit scores, credit limits, balances, and other information, according to the bank and the US Department of Justice.

A criminal complaint says Thompson tried to share the information with others online. The 33-year-old, who lives in Seattle, had previously worked as a tech company software engineer for the cloud hosting company that Capital One was using, the DOJ said. She was able to gain access by exploiting a misconfigured web application firewall, according to a court filing.

Thompson was arrested Monday in connection with the breach, the Justice Department said. Thompson's attorney could not be immediately reached for comment.

 

 

Capital One (COF) said the hack occurred March 22 and 23. The company indicated it fixed the vulnerability and said it is "unlikely that the information was used for fraud or disseminated by this individual." However, the company is still investigating.

"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right," said Capital One CEO Richard Fairbank in a statement.

The breach affected around 100 million people in the United States and about 6 million people in Canada, according to Capital One.

However, "no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised," the company said.

The criminal complaint against Thompson paints a picture of a less-than-careful suspect. Thompson posted the information on GitHub, using her own name, the complaint says, adding that she also indicated on social media that she had Capital One information.

 

The FBI special agent who investigated Thompson believes Thompson tweeted that she wanted to distribute Social Security numbers along with full names and dates of birth.

The complaint indicates Thompson "recognizes that she has acted illegally."

Capital One said it will notify people affected by the breach and will make free credit monitoring and identity protection available. The company expects to incur between $100 million and $150 million in costs related to the hack, including customer notifications, credit monitoring, tech costs and legal support due to the hack.

Capital One's stock was down 4% after hours late Monday night.

TDLR:  140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people's names, addresses, credit scores, credit limits, balances, and other information. That's all you need to know along with the person behind this breach has been caught.

 

Opinion:

This sucks because the info could now be in the dark web and like always when something like this happens take advantage of the free credit monitoring service.

 

Source:  https://www.cnn.com/2019/07/29/business/capital-one-data-breach/index.html

 

Edit: I was told it was a female. My apologies.  

[ARikozuM]

This is why we need regulations to be stricter in some cases. 

 

Also, Credit Karma. 

 

Unless you're involved in the Equifax breach and want 10 years of free credit monitoring courtesy of Equifax (which allegedly comes with an insane max payout of $250K if your identity is stolen). 

[rawrdaysgoby]

Oh, 140k SSN only that was close..., it mainly affected canadians with 1 mil.  

[NumLock21]

Capital as in the card. I thought it was something else.

[wanderingfool2]

And this is why I hate the concept of the "cloud" and moving things to the cloud...it gives third parties so much extra power.

[79wjd]

10 minutes ago, wanderingfool2 said:

And this is why I hate the concept of the "cloud" and moving things to the cloud...it gives third parties so much extra power.

The cloud actually has the potential to make things safer. I have far more faith in Google or Microsoft to properly secure their networks than I do the typical company. Of course a lot still comes down to the controlling company, but any reduction is something.

[williamcll]

At least they caught the perpetrator, unlike most breaches. 

[TechyBen]

5 hours ago, AlexOak said:

If you are a cardholder with Capital one then I got some bad news for you bud and you too Canadian friend. 

 

  Reveal hidden contents

In one of the biggest-ever data breaches, a hacker gained access to more than 100 million Capital One customers' accounts and credit card applications earlier this year.

Paige Thompson is accused of breaking into a Capital One server and gaining access to140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people's names, addresses, credit scores, credit limits, balances, and other information, according to the bank and the US Department of Justice.

A criminal complaint says Thompson tried to share the information with others online. The 33-year-old, who lives in Seattle, had previously worked as a tech company software engineer for the cloud hosting company that Capital One was using, the DOJ said. She was able to gain access by exploiting a misconfigured web application firewall, according to a court filing.

Thompson was arrested Monday in connection with the breach, the Justice Department said. Thompson's attorney could not be immediately reached for comment.

 

 

Capital One (COF) said the hack occurred March 22 and 23. The company indicated it fixed the vulnerability and said it is "unlikely that the information was used for fraud or disseminated by this individual." However, the company is still investigating.

"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right," said Capital One CEO Richard Fairbank in a statement.

The breach affected around 100 million people in the United States and about 6 million people in Canada, according to Capital One.

However, "no credit card account numbers or log-in credentials were compromised and over 99% of Social Security numbers were not compromised," the company said.

The criminal complaint against Thompson paints a picture of a less-than-careful suspect. Thompson posted the information on GitHub, using her own name, the complaint says, adding that she also indicated on social media that she had Capital One information.

 

The FBI special agent who investigated Thompson believes Thompson tweeted that she wanted to distribute Social Security numbers along with full names and dates of birth.

The complaint indicates Thompson "recognizes that she has acted illegally."

Capital One said it will notify people affected by the breach and will make free credit monitoring and identity protection available. The company expects to incur between $100 million and $150 million in costs related to the hack, including customer notifications, credit monitoring, tech costs and legal support due to the hack.

Capital One's stock was down 4% after hours late Monday night.

TDLR:  140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people's names, addresses, credit scores, credit limits, balances, and other information. That's all you need to know along with the guy behind this breach has been caught.

 

Opinion:

This sucks because the info could now be in the dark web and like always when something like this happens take advantage of the free credit monitoring service.

 

Source:  https://www.cnn.com/2019/07/29/business/capital-one-data-breach/index.html

Oh, never knew NCIX did Credit card security?!

 

/Buuuuurn.

[LAwLz]

5 hours ago, wanderingfool2 said:

And this is why I hate the concept of the "cloud" and moving things to the cloud...it gives third parties so much extra power.

And some people still think it's a good idea to do mandatory backdoors in software so that the government can more easily spy on us.

I think it should be abundantly clear to anyone with half a brain that neither the government nor companies can be trusted to keep things secure, so the logical step in preventing harm is to limit the amount of things they can do and collect.

[leadeater]

5 hours ago, 79wjd said:

The cloud actually has the potential to make things safer. I have far more faith in Google or Microsoft to properly secure their networks than I do the typical company. Of course a lot still comes down to the controlling company, but any reduction is something.

Customers of cloud providers are still the controllers of security, that is inclusive of the provided resources and systems they deploy in to the provider. Utilizing cloud resources without knowing what you are doing can result in huge security issues, for example normally on a corporate network the group 'Everyone' means all authenticated users, in the cloud that often means literally everyone. This mistake has been made, it's not as stupid as you'd think when you have sync'd your Active Directory to your cloud providers inbuilt authentication system as all your accounts and groups show up as you'd expect however the inbuilt cloud ones also exist, can name overlap and often take precedence over your own.

 

For IaaS (Infrastructure as a Service) this is functionally no different to running the VMs on local hypervisors.

 

Cloud isn't more secure, neither is it any less, it's as secure as the person using it and if they were incompetent on local infrastructure they will be equally so in cloud infrastructure. Cloud never has and never will be a magic cure all, it's just a different thing with different standard operating procedures.

 

No cloud provider will ever state or imply that they will take the data security and compliance risk from you and do this on your behalf, they only promise their systems are secure up to the point that control is handed to the customer, not beyond that.

[HarryNyquist]

but of course they'd hit a company I can't leave.

 

Fucking auto loan.

[TetraSky]

Glad I don't have a Capital One card...

Though my brother used to have one 5 years ago, I hope they've expunged his data.

 

But this isn't as bad as the Desjardins breach from a few months back where nearly 3 million people had their SIN stolen and sold by a scumbag employee... Who still hasn't been charged with anything last I checked. The victims got 5 years of the complete protection package with Equifax.

 

[paddy-stone]

This is the problem with companies being able to tell YOU what information they NEED to verify your identity, and such... and that they need to keep copies of it. Why? why the fuck if you've already verified my identity, do you need to keep a copy of that very sensitive/important data such as an image of your passport, social security? once you're verified as being who you say you are, they should properly dispose of the data I think, so that breaches in their companies security, doesn't lead to more problems for their customers.

 

I think we should have a much bigger say in which data a company is allowed to have from us, and that WE get to tell THEM, whether or not they can retain that information.

[jiyeon]

3 hours ago, TechyBen said:

Oh, never knew NCIX did Credit card security?!

 

/Buuuuurn.

Oooh... Slow burn...

[Ezzy-525]

Anyone know if this affects UK customers?

[TechyBen]

5 hours ago, leadeater said:

Customers of cloud providers are still the controllers of security, that is inclusive of the provided resources and systems they deploy in to the provider. Utilizing cloud resources without knowing what you are doing can result in huge security issues, for example normally on a corporate network the group 'Everyone' means all authenticated users, in the cloud that often means literally everyone. This mistake has been made, it's not as stupid as you'd think when you have sync'd your Active Directory to your cloud providers inbuilt authentication system as all your accounts and groups show up as you'd expect however the inbuilt cloud ones also exist, can name overlap and often take precedence over your own.

 

For IaaS (Infrastructure as a Service) this is functionally no different to running the VMs on local hypervisors.

 

Cloud isn't more secure, neither is it any less, it's as secure as the person using it and if they were incompetent on local infrastructure they will be equally so in cloud infrastructure. Cloud never has and never will be a magic cure all, it's just a different thing with different standard operating procedures.

 

No cloud provider will ever state or imply that they will take the data security and compliance risk from you and do this on your behalf, they only promise their systems are secure up to the point that control is handed to the customer, not beyond that.

Yeah, there are quite a few examples of cloud users not even setting access controls, thus everything being public.

[Suika]

sorry I can't stop laughing

[The King of the Undead]

43 minutes ago, Suika said:

sorry I can't stop laughing

[Brooksie359]

6 hours ago, HarryNyquist said:

but of course they'd hit a company I can't leave.

 

Fucking auto loan.

I am just glad that I got my auto loan from them after the date of the hack. 

[S w a t s o n]

I am Canadian and have a card with Capital One. If my SIN was leaked im going to bend them over so hard. Some bullshit credit monitoring wont cut it at all

[79wjd]

1 hour ago, S w a t s o n said:

I am Canadian and have a card with Capital One. If my SIN was leaked im going to bend them over so hard. Some bullshit credit monitoring wont cut it at all

I'm pretty positive you have that backwards.

[S w a t s o n]

1 hour ago, 79wjd said:

I'm pretty positive you have that backwards.

Maybe if it was you

[79wjd]

21 minutes ago, S w a t s o n said:

Maybe if it was you

I see someone lives in Lala Land.

 

Realistically you join in on a class action, get $5, some credit monitoring, and switch to another banking organization that almost absolutely has some other data breach cracking open.

[S w a t s o n]

30 minutes ago, 79wjd said:

I see someone lives in Lala Land.

 

Realistically you join in on a class action, get $5, some credit monitoring, and switch to another banking organization that almost absolutely has some other data breach cracking open.

It'll be more than $5 but, it's quite easy to get redemption without a class action too.

[maartendc]

18 hours ago, AlexOak said:

. That's all you need to know along with the guy behind this breach has been caught.

 

It was a woman.

 

On topic: this sucks! How is this information not stored encrypted??