*Update: GitHub and Capital One are being sued as part of a class action lawsuit for failing to prevent the data breach and securing the customers’ personal information.
On July 29th, 2019, it was announced by Capital One in a press release that someone had gained unauthorized access to Capital One customers’ personal, credit card, and bank account information. This data breach came to the attention of the company on July 19th, although the incident is said to have occurred on March 22nd or 23rd. The question that remains unanswered is: Why did it take so long for the company to realize they had been breached?
How Did This Occur?
The FBI have arrested Seattle Software Engineer Paige A. Thomas for computer fraud and abuse in relation to this massive data breach. Online, she went by the hacker name ‘erratic’. She was an employee for Amazon Web Services (AWS), who hosted the Capital One cloud server that was breached.
According to Capital One, the perpetrator accessed their server by, “exploiting a specific configuration vulnerability in our infrastructure.” Its reported that the vulnerability was a misconfigured firewall, and with this, customers’ data was decrypted. The FBI caught onto the breach when they found that Thomas had posted the data and her resume to her GitHub account, and talked about stealing the data on Slack. Usually hackers are supposed to cover their tracks, but I guess that wasn’t a concern of Thomas.
After being made aware of the vulnerability, Capital One immediately addressed and fixed it so their server could not be exploited again. They have yet to email customers’ who were affected by the breach.
What Data Was Affected?
According to Capital One, the majority of compromised data was that of small businesses and customers who applied for their credit card products anytime from 2005 to early 2019. Personal and bank information that may have been breached includes:
- Full Name
- Address and Zip Code
- Phone Number
- Email Address
- Credit Score
- Credit Limit
- Account Balance and Payment History
- Bank Account Number
- Social Security Number
The company did say that customers’ login credentials were not affected. In the United States, a total of 100 million people, 80,000 bank account numbers, and 140,000 social security numbers were compromised. In Canada, about 6 Million customers were affected as well.
How To Protect Your Capital One Account
Until the compnay notifies the customers that have been impacted by this Capital One Data Breach, there are some steps you can take to protect your account.
– Check Your Account For Suspicious Activity
The first thing you should do is check your Capital One account for suspicious activity. If you do see any irregular purchases, immediately contact Capital One. To learn of the different ways you can do so, visit this page.
– Change Your Password and Utilize Your Account’s Security Settings
Even though this latest data breach did not compromise customer account login credentials, it can’t hurt to change your password and check your security settings. Make sure to change your bank account password to something that is a random combination of letters, numbers, and symbols, and not guessable. For your account security settings, make sure you have two-step authentication and security questions in place. You could also enable SwiftID, which provides an extra layer of security for those using the Capital One mobile app.
– Freeze Your Credit
To prevent someone from assuming your identity and opening a bank account in your name, you can freeze your credit. Doing this does not cost you anything, but you will need to contact Equifax, Experian and TransUnion.
– Use CreditWise From Capital One Free Credit Monitoring
To make sure your credit score isn’t being affected by suspicious account activity and/or by this latest data breach, sign-up for free credit monitoring. You can do so for Capital One by visiting this page and following the prompts.
Data breaches such as this one are no laughing matter, especially with 100+ million people being affected. As a customer, all you can do is take the necessary precautions to keep your bank account and personal information secure.
Recent Hacking News – Phone Call Espionage: ‘Operation Softcell’ Hacked Cell Phone Providers