ANOTHER week and yet another data breach, this time in the US where the country’s seventh-largest commercial bank, Capital One Financial Corp, has admitted that a hacker gained access to personal information from more than 100 million credit applications.
Federal authorities were quick off the mark to arrest transgender woman Paige Thompson – who goes by the handle “erratic” – and who has already appeared in court in Seattle, charged with a single count of computer fraud and abuse.
The 33-year-old is a former Amazon Web Services (AWS) software engineer, and has been remanded in custody pending a detention hearing. AWS is Amazon’s cloud service and where Capital One stores its data. Bank sources say the hacker managed to obtain information including credit scores and balances, as well as the social security numbers of around 140,000 customers.
The institution said those affected would all be offered free credit monitoring services.
FBI officers said they raided Thompson’s home on Monday and seized various digital devices.
Their initial search is said to have turned up files that referenced Capital One, as well as “other entities that may have been targets of attempted or actual network intrusions”. The bank said it found out about the vulnerability in its system on July 19 and immediately sought help to catch the perpetrator from law enforcement officers.
HOW WAS IT DONE?
ACCORDING to the complaint filed by the FBI, someone emailed Capital One two days before the vulnerability was found, telling the company that leaked data had appeared on the Microsoft-owned code-hosting site GitHub.
A month before that, the FBI said, a Twitter user who went by the nickname “erratic” sent another social media user direct messages warning about distributing the data.
They said this included names, dates of birth and social security numbers.The second user later reported the message to Capital One. One of the messages read: “Ive basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting it.
“I wanna distribute those buckets i think first.”
Capital One said it believed it was unlikely that the information was used for fraud, but its investigation will continue.
Around 100 million people in the US and six million in Canada were affected by the breach.
The bank said most of the hacked data consisted of information supplied by small businesses and consumers who applied for credit cards between 2005 and 2019.
In addition to information like phone numbers, email addresses, birth dates and self-reported income, the hacker was also able to gain access to credit scores, credit limits and balances, as well as fragments of transaction information from a total of 23 days during 2016, 2017 and 2018.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said the bank’s CEO Richard Fairbank.
“I sincerely apologise for the understandable worry this incident must be causing those affected and I am committed to making it right.”
WHERE WILL THIS ALL END?
ATTACKS such as this put a focus not only on personal computer security but on the responsibilities that banks and financial institutions have to keep our data secure.
US-based multinationals are a big target because of their vast size and the potential pickings.
Two years ago Equifax, one of the world’s major credit reporting companies, suffered as data breach exposed social security numbers and other sensitive information on around half of America’s population. As well as doing a vast amount of reputational damage, the breach cost the company at least $700 million (£575m) to settle lawsuits over it with federal authorities and states.
Last year the General Data Protection Regulation (GDPR) came into force in the European Union and European Economic Area – the biggest shake-up in data privacy in two decades.
Under the Data Protection Act, which preceded GDPR, companies could only be fined up to £500,000, but since the new rules came in the maximum penalty has risen to €20m (£18.3m), or 4% of annual global turnover.
Earlier this month it emerged that British Airways was facing a record fine of £183m for last year’s breach of its security systems. BA said hackers had carried out a “sophisticated, malicious criminal attack” on its website, during which the Information Commissioner’s Office (ICO) said users were diverted to a fraudulent site, where the details of around 500,000 customers were harvested.
Information Commissioner Elizabeth Denham said then: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft, it is more than an inconvenience.”
CAN WE STOP HACKERS?
TRUTHFULLY? It’s unlikely. Security professionals are only too aware that as knowledge increases in their own sector, the hacking community is never far behind and sometimes ahead of them.
In recent years, major banks have tried to stem the risk of data breaches by replacing customer credit and debit cards with the more secure chip-based cards. While measures such as these may improve security, it appears there is no substitute for “stop, look and think,” when using chip-and-pin.
One expert told The National: “These cards are said to be secure, but the technology is more than 15 years old, so cyber criminals have had plenty of time to work out how to hack them. Big companies, banks and financial institutions are always going to be targets for hackers and they will always have to try to be several steps ahead of them.”
Why are you making commenting on The National only available to subscribers?
We know there are thousands of National readers who want to debate, argue and go back and forth in the comments section of our stories. We’ve got the most informed readers in Scotland, asking each other the big questions about the future of our country.
Unfortunately, though, these important debates are being spoiled by a vocal minority of trolls who aren’t really interested in the issues, try to derail the conversations, register under fake names, and post vile abuse.
So that’s why we’ve decided to make the ability to comment only available to our paying subscribers. That way, all the trolls who post abuse on our website will have to pay if they want to join the debate – and risk a permanent ban from the account that they subscribe with.
The conversation will go back to what it should be about – people who care passionately about the issues, but disagree constructively on what we should do about them. Let’s get that debate started!
Callum Baird, Editor of The National
Comments: Our rules
We want our comments to be a lively and valuable part of our community - a place where readers can debate and engage with the most important local issues. The ability to comment on our stories is a privilege, not a right, however, and that privilege may be withdrawn if it is abused or misused.
Please report any comments that break our rules.
Read the rules hereLast Updated:
Report this comment Cancel