Capital One: data theft affects 106 million people – Krebs on security


[ad_1]

Federal prosecutors this week accused a Seattle woman of stealing data on more than 100 million credit applications presented with Capital One Financial Corp. Incredibly, much of this flaw has been manifested publicly for several months on social media and other open online platforms. The following is a closer look at the accused and what this incident may mean for consumers and businesses.

Paige "erratic" Thompson, in an undated photo posted on his Slack channel.

On July 29, FBI agents arrested Paige A. Thompson suspected of having downloaded nearly 30 GB of Capital One credit application data from a rented cloud data server. Capital One said the incident had affected approximately 100 million people in the United States and six million in Canada.

These data included approximately 140,000 social security numbers and approximately 80,000 US consumer bank account numbers, and approximately 1 million Social Insurance Numbers (SINs) for credit card customers in Canada.

"It's important to note that no credit card account number or login ID has been compromised and that more than 99% of social security numbers have not been", said Capital One in a statement posted on its website.

"The largest category of information accessed was the one on consumers and small businesses at the time they asked for one of our credit card products from 2005 to early 2019," the statement said. "This information included personal information that Capital One collects regularly upon receipt of credit card applications, including names, addresses, postal codes, telephone numbers, e-mail addresses, birth dates, and self-reported income.

According to the FBI, Capital One learned the theft through an e-mail message on July 17, which informed the company that some of its disclosed data was stored in the open on the Github software development platform. This Github account was for a user named "Netcrave"Who understands the curriculum vitae and the name of a Paige A. Thompson.

The board that alerted Capital One of its data breach.

The complaint does not explicitly mention the cloud hosting provider from which Capital One's credit data was extracted, but it is stated in the resume of the accused that she has been working in as a system engineer at the supplier between 2015 and 2016. This summary, available on Gitlab here, reveals Thompson's last employer was Amazon Inc.

Further investigation revealed that Thompson was using the nickname "Erratic" on Twitter, where she spoke openly for several months searching for huge stocks of data to be secured on various Amazon instances.

The "erratic" publication of the Twitter user on the tools and processes used to access various Amazon cloud instances.

According to the FBI, Thompson also used a public Meetup group under the same alias, where she invited other people to join a Slack channel titled "Netcrave Communications. "

KrebsOnSecurity was able to join this Slack open channel on Monday night and review many months of Erratic's seemingly unreleased publications on his personal life, interests and online explorations. One of the most interesting articles published by Erratic on the Slack channel is a June 27 commentary listing various databases found by its hacking in poorly secured Amazon cloud instances.

This publication suggests that Erratic would also have located dozens of gigabytes of data belonging to other large companies:

According to Erratic's articles on Slack, the two items listed above starting with "ISRM-WAF" belong to Capital One.

Erratic also posted frequently on Slack about her sexual identity issues, lack of employment and persistent suicidal thoughts. In several conversations, Erratic refers to the execution of a network of zombies, although the severity of these claims is unclear. Erratic mentions a botnet involved in cryptojacking, which uses code snippets installed on websites – often surreptitiously – designed to extract cryptocurrency.

None of the articles published by Erratic suggest that Thompson seeks to profit from the sale of data from different Amazon cloud instances that it has accessed. But it seems likely that at least some of this data could have been obtained by other people likely to have tracked its activities on different social media platforms.

Ray Watson, a cybersecurity researcher at cloud security firm Masergy, said the Capital One incident contained the features of many other modern data breaches.

"The abuser was a former employee of the web hosting company involved, which is often called internal threats," Watson said. "She would have used web application firewall identification information to gain elevation of privilege. In addition, the use of Tor and an offshore VPN for obscuration is commonly observed in similar data breaches. "

"The good news, though, is that Capital One Incidence Response was able to react quickly once they were informed of a potential breach through their responsible disclosure program, which is of concern to many other companies," he said. he continued.

In Capital One's statement on the infringement, the president of the company and CEO Richard D. Fairbank said that the financial institution has corrected the configuration vulnerability that led to theft of data and quickly began to work with federal forces of law.

"Based on our analysis to date, we believe that it is unlikely that the information was used for fraudulent purposes or disseminated by this person," Fairbank said. "Although I am grateful that the author was arrested, I am deeply sorry for what happened. I sincerely apologize for the understandable concern that this incident must cause to those affected and I undertake to remedy it. "

Capital One said it would inform the people concerned by various means and would monitor free credit and protect the identity of all concerned.

Bloomberg reports that in court on Monday, Thompson broke down and laid his head on the defense table during the hearing. She is charged with one count of computer fraud and incurs a maximum penalty of five years imprisonment and a fine of $ 250,000. Thompson will remain in custody until the bail hearing is scheduled for August 1.

A copy of the complaint against Thompson is available here.


Keywords: violation of Capital One, GitHub, Masergy, Paige A. Thompson, Ray Watson, Slack, Twitter

This entry was posted on Tuesday, July 30th, 2019 at 9:59 am and is filed under Data Breaches, Ne-er-Do-Well News.
You can follow the comments of this entry via the RSS 2.0 feed.

You can go to the end and leave a comment. Ping is currently not allowed.

[ad_2]Source link