Hacker accesses 100M Capital One customer records

In a breach rivaling the biggest of the 21st century, a hacker has gained access to 100 million customer credit card applications and accounts at Capital One.

Capital One Financial Locations Ahead Of Earnings
Signage at a Capital One cafe branch in San Francisco, California, U.S., on Thursday, Jan. 20, 2022. Capital One Financial Corp. is scheduled to release earnings figures on January 25. Photographer: David Paul Morris/Bloomberg
David Paul Morris/Bloomberg

The bank reported that it was “unlikely that the information was used for fraud or disseminated" by the hacker and that no credit card numbers or passwords were exposed.

The hacker was determined to be Paige Thompson, a former Amazon employee who goes by the name “erratic” online. Thompson has been charged with computer fraud and abuse in the Western District of Washington, where she is located. Authorities said Thompson took advantage of a misconfigured firewall to access the bank’s credit card customer data.

According to the criminal complaint, Thompson posted on the information sharing site GitHub about her theft of information from the servers storing Capital One data. On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered data theft. Capital One contacted the FBI on July 19 after it determined there had been an intrusion on its user data. On July 29, agents executed a search warrant at Thompson’s residence and seized electronic storage devices containing a copy of the data.

“Capital One quickly alerted law enforcement to the data theft, allowing the FBI to trace the intrusion,” said Brian Moran, U.S. Attorney for the Western District of Washington, in a statement. “I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.”

While computer fraud and abuse is punishable up to five years in prison and a $250,000 fine, organizations can face much higher fiscal ramifications — the Equifax breach of 2017 which affected 143 million people resulted in a $650 million consumer settlement.

Capital One has said it will “notify affected individuals through a variety of channels,” so firm clients who believe they may have been affected should monitor their emails for possible communication from the bank. However, accountants should also urge their clients to be careful and not click on links or respond to emails that appear to come from Capital One, as other cybercriminals may use this opportunity to phish for customer information. Clients have been asked to forward any suspected phishing emails to abuse@capitalone.com.

Capital One has promised to make free credit monitoring and identity protection available to anyone affected by the breach, a precedent set by recent breaches.

Accountants can also direct their clients to Capital One’s FAQ page regarding the incident.

For reprint and licensing requests for this article, click here.
Cyber security Cyber attacks Data breaches Data security
MORE FROM ACCOUNTING TODAY