Although legislation in various parts of the world has become much tighter on the protection of confidential information, multiple companies remain highly vulnerable to data breach incidents, affecting millions of users, as reported by experts in ethical hacking.
This time the turn is for the renowned bank Capital One; according to reports, a hacker managed to access the records of more than 100 million accounts of the bank’s customers and users of the company’s app, making this incident one of the largest data breaches ever.
The bank has accused Paige Thompson, a former IT engineer. According to the U.S. Department of Justice (DOJ), Thompson accessed a bank server and compromised about 1 million Social Security numbers from Canadian citizens and about 140k of U.S. residents, plus 80k bank account numbers and one undetermined number of full names, addresses, credit histories, and other confidential details of Capital One customers.
The incident affected more than 6 million Capital One customers in Canada and 100k users in the U.S. However, the bank ensures that your customers’ login credentials and credit card numbers are secured.
According to ethical hacking specialists close to the case, the bank filed a complaint against Thompson arguing that the defendant planned to share the information with other unidentified actors online. Previously, the 33-year-old had collaborated as a software engineer on Amazon Web Services, which provides cloud hosting services to the bank. Capital One maintains that Thompson entered the server by exploiting a misconfigured firewall deployment. Finally, U.S. authorities arrested Thompson last Monday; so far the defense has made no comment.
According to the bank’s ethical hacking staff, the attack occurred sometime between March 22 and 23 and the compromised records date back to 2005. Capital One added that the vulnerability in its systems has already been corrected and assured that the likelihood of the information being used for malicious purposes is low, as the person responsible was stopped before she could sell the stolen data. “We apologize for the inconvenience this has caused, activity on our systems will be restored shortly,” said Richard Fairbank, CEO of Capital One.
According to ethical hacking specialists from the International Cyber Security Institute (IICS), the defendant would have posted the stolen information on GitHub using her full name, in addition, through her social media profiles, claiming to have access to millions of company records.
In addition, Thompson used a channel from the corporate chat service Slack to explain the method used to access the bank’s servers. “The defendant claims to have put in place a special command to extract the company files stored on Amazon Web Services,” the DOJ said.
The defendant made no attempt to conceal her identity; According to the reports, she identified herself in Slack using the nickname “erratic”, which was the same name that Thompson used on her Twitter account and on other platforms, such as the Meetup chat service. After the information was posted on GitHub, a user informed Capital One, which in turn reported the incident to the FBI, which accomplished Thompson’s apprehension, who has allegedly acknowledged that she acted for malicious purposes.