Another week, another massive data breach.
Capital One, the fifth-largest U.S. credit-card issuer and banking institution, has recently suffered a data breach exposing the personal information of more than 100 million credit card applicants in the United States and 6 million in Canada.
The data breach that occurred on March 22nd and 23rd this year allowed attackers to steal information of customers who had applied for a credit card between 2005 and 2019, Capital One said in a statement.
However, the security incident only came to light after July 19 when a hacker posted information about the theft on her GitHub account.
The FBI Arrested the Alleged Hacker
The FBI arrested Paige Thompson a.k.a erratic, 33, a former Amazon Web Services software engineer who worked for a Capital One contractor from 2015 to 2016, in relation to the breach, yesterday morning and seized electronic storage devices containing a copy of the stolen data.
Thompson appeared in U.S. District Court on Monday and was charged with computer fraud and abuse, which carries up to five years in prison and a $250,000 fine. A hearing has been scheduled for August 1, 2019.
According to court documents [PDF], Thompson allegedly exploited a misconfigured firewall on Capital One’s Amazon Web Services cloud server and unauthorizedly stole more than 700 folders of data stored on that server sometime in March.
“Capital One quickly alerted law enforcement to the data theft — allowing the FBI to trace the intrusion,” U.S. Attorney Moran said. “I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.”
It is important to note that Amazon Web Services was not compromised in any way since the alleged hacker gained access to the cloud server due to Capital One’s misconfiguration and not through a vulnerability in Amazon’s infrastructure.
images from Hacker News