A hacker infiltrated US bank Capital One's network through an infrastructure vulnerability, affecting millions of users in the US and Canada.
It's another day, and with it comes another major hack of a massive public service.
This time however, the victim is not a social media giant, but a major US bank: Capital One.
On July 19, Capital One recognized that its system has been breached, and that a hacker had "obtained certain types of personal information relating to people who had applied for... credit card products and to Capital One credit card customers," the company said in a statement.
No bank account numbers or Social Security numbers were compromised, other than:
No credit card account numbers or log-in credentials were compromised.
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of the bank's credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:
The alleged perpetrator, a hacker by the name of Paige Thompson, was arrested on Monday. Thompson had hacked Capital One's systems on March 22nd and 23rd, 2019.
"The Capital One incident is the latest in a string of high-profile, high-impact data breaches," Salam Yamout, the Internet Society’s Middle East regional director, said. "The hacker in this case unlawfully gained access to users’ information by exploiting a misconfigured web application firewall – something that could have been prevented."
Yamout continues: "This is a grave reminder that companies holding personal and sensitive data need to be extra vigilant. The responsibility for good data stewardship lies with everyone in an organisation, not just the C-suite or IT security team. Use strong passwords and multi-factor authentication, keep software updated, be careful with email, encrypt/hash and back up your data where ransomware can’t get to it – these basics would prevent a significant percentage of not just breaches, but all cyber incidents."
"Security experts and business leaders are scratching their heads today," Homayun Yaqub, Senior Director of Strategy at Forcepoint, said. "It appears that Capital One’s breach was an exploit of a configuration issue in a firewall, something that's typically rectified by routine security audits and controls. This significant breach shows how today's enterprise security deployments are increasingly complicated, with the use of various cloud platforms and access to sensitive data as examples. Another important fact is that more and more individuals outside of an organization have knowledge of how enterprise systems work and how organizations maintain and access their data in the cloud, giving them insider views that could be used for nefarious purposes. These complexities put a spotlight on establishing the right controls and business processes to continuously test and stress an organization’s security posture as the risk landscape is always evolving."
"You used to be able to draw solid lines around your systems and infrastructure," Stuart Taylor, Senior Director, Forcepoint Security Labs, said. "As soon as you deploy to a cloud system, you immediately erase those dark lines. It means you fundamentally need to change how you approach security. This drives toward having to look at the anomalies rather than looking at the perimeter."