Prosecutors said a misconfigured Capital One
firewall let Thompson access folders of data that
Amazon Web Services was hosting for the bank.
Thompson sent a command that returned a list
of more than 700 folders and copied data from
an unspecified number of them. Capital One
said the bulk of the hacked data consisted of
information supplied by consumers and small
businesses who applied for credit cards between
2005 and early 2019. The hacker also was able to
gain some access to fragments of transactional
information from dates in 2016, 2017 and 2018.
The bank said it believes it is unlikely that the
information obtained was used for fraud, but the
investigation is ongoing.
Capital One says 140,000 individuals had
their Social Security numbers accessed,
and another 80,000 had their bank account
information accessed.
HOW DID CAPITAL ONE
HANDLE THE BREACH?
Capital One says once it learned of the breach on
July 17, it immediately closed the vulnerability,
and it was able to figure out what Thompson
accessed 36 hours later, on July 19. The company
was able to build a profile on Thompson from
their internal investigation, and handed that to
the FBI, who arrested her 10 days later, the day
the bank disclosed the breach.
By contrast, it took Equifax six weeks before it
publicly disclose its security incident, which was
similar in size.
WHAT TO DO
Capital One said it will reach out to those
affected using “a variety of channels.”
That bank said it will make free credit