Capitol One becomes biggest financial breach
Capitol One announced on Monday that it is suffered a data breach by a hacker after a cloud misconfiguration. The amount of information accessed puts this breach on par with the Equifax incident of 2017.
A former AWS (Amazon Web Services) engineer is the culprit in this latest breach and an arrest has already been made. The engineer, identified as Paige Thompson, was able to access PII (personally identifiable information) of more than 100 million people in the U.S and 6 million in Canada. The FBI has already made an arrest in the case due to the suspect boasting about the data theft on GitHub. Someone in the GitHub chat reported the breach to Capitol One and swift action was able to happen. The intrusion is suspected to have taken place between March 19 and July 17.
The hacker was able to access credit applications, social security numbers and bank account numbers due to a cloud misconfiguration. Misconfigurations such as this can happen when cloud services and applications are deployed with default settings or not checked for proper security standards. In this case, the illegally accessed data was stored on cloud servers rented from AWS (Amazon) and consisted of applications made between 2005 and up to earlier this 2019 year. Credit applications can consists of a multitude of information such as full names, addressed, dates of birth, and financial information. Capitol One has announced a full apology (seen below) as well as assurance that no credit-card account numbers or login-credentials were compromised.
“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right,” said Capital One CEO Richard Fairbank, in a statement.
This breach emphasizes the need for companies to take deploying new technologies seriously and effectively. From the description of the breach it can be deduced that this did not happen because of an elaborate scheme but more-so due to a poorly configured firewall that allowed the attacker in. Though fortunate the company and FBI were able to quickly detect and apprehend the suspect, it does not give assurance that this information was not already passed on to the Dark Web.
More information will be updated as information is disclosed.