Details about one of the largest data breaches in history were released yesterday creating concern for Capital One Customers and Applicants. On July 19th a portion of Capital One’s data concerning 100 million individuals in the United States, and 6 million in Canada, was accessed by an outside individual exploiting a misconfigured web application firewall. The information was actually extracted from data that Capital One stores directly on Amazon’s servers. Capital One states that the breach was noticed immediately, the configuration vulnerability fixed, and the company promptly began working with federal law enforcement.
The Statement from Capital One comes in the wake of the FBI arrest of the person responsible, and details about the accused, Paige Thompson, paint a very interesting picture. It turns out that Paige worked previously as a software engineer for Amazon web services – and knew the system that she was exploiting intimately. CNN Business reports that Paige was a less-than-careful suspect, stating that sources allege she was talking about the breach on a chat service called Slack with colleagues. Paige allegedly posted “I wanna get it off my server that’s why Im archiving all of it lol,” despite alarm from those who she had told who allegedly wrote back to her that the information was “sketchy,” and adding, “don’t go to jail plz.” She even posted the leaked data on a code platform called GitHub using her full first and last name – suggesting that she was not trying to hide her illegal actions.
Based on the information uncovered during the investigation of the data breach, Capital One’s analysis is that it is unlikely that the information was used for fraud or disseminated by Paige. Capital One’s statement also outlines that, “No credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.” Paige did have access to personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income as well as portions of credit card customer data, and a portion of Social security numbers and linked bank account numbers. Capital One states that they will be notifying those affected through multiple channels, and make free credit monitoring and identity protection available to everyone touched by this incident.
As someone who works with technical people, I can understand how this programmer could get tunnel vision in finding a way to ‘clean up her server’ and forget about the real world consequences of her actions. The way our consultants at LeafTech zero in on our client’s issues and focus deeply on solving what is in front of them in the moment is a less extreme form of the laser focus that possibly led Paige down this haphazard hacking path. I know I’ll be following the development of this story to see if she really did or did not have criminal intent in her actions.