The FBI has arrested a 33-year-old software engineer in Seattle as part of an investigation into a massive data breach at financial services company Capital One.

Paige A. Thompson, also known by the online handle “erratic,” has been charged with one count of computer fraud and abuse, after an investigation uncovered that a hacker had broken into cloud servers run by Capital One and stole data related to over 100 million credit-card applications.

Exposed information, according to Capital One, included data collected in credit card applications between 2005 and early 2019 such as:

  • names
  • addresses
  • zip codes/postal codes
  • phone numbers
  • email addresses
  • dates of birth
  • income

Beyond the credit card application data, the hacker also obtained portions of credit card customer data, including:

  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

Capital One says that about 140,000 Social Security numbers and approximately 80,000 linked bank account numbers of its secured credit card customers were also breached.

In a statement posted on its website, Capital One blames a “configuration vulnerability” for the security breach which allowed the hacker to access the sensitive information.

Capital One determined on July 19 that an outside party had managed to access its systems without authorisation, and began working with federal law enforcement.

However, it seems that the investigation only began after a security researcher who was an acquaintance of the alleged hacker emailed the firm’s responsible disclosure program two days earlier, telling the company that sensitive data from its cloud-based Amazon Web Services’ S3 bucket was present on Github.

Capital One notified of data breach

Hello there,

There appears to be some leaked s3 data of yours in someone’s github / gist

[LINK]

Let me know if you want (Read more...)