It is all too timely in light of the recent settlement talks of the 2017 Equifax breach, that it was disclosed this morning that Capital One has suffered a data breach. Between March 22nd and 23rd, 2019, a software engineer was able to access information to more than 100 million Capital One customers in the US and Canada. Those affected include anyone who obtained one of the company’s credit cards dating back to 2005. Information taken during the breach includes the data Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income as well as limited Social Security Numbers and linked bank account numbers. The culprit, Paige Thompson, a former Amazon Web Services (AWS) employee, was arrested by the FBI yesterday and has been charged with a single count of computer fraud and abuse after internet posts of the data theft were linked back to her.
Capital One, like many organizations today, use all cloud or cloud hybrid environments to support businesses and to stay relevant and competitive. This breach involved a hosted service through AWS and Ms. Paige was able to take advantage of a misconfiguration in a web application firewall to access the data on the backend. Capital One is no stranger to breaches as they have suffered from past incidents in 2014 and 2017 at the hands of former employees.
What does this mean for you and what is Capital One doing about this?
Capital One will be reaching out to affected customers and they will be offering credit monitoring and identity protection services. If you don’t already have this in place, it is highly recommended you take advantage of this.
Monitor your credit cards and bank accounts for suspicious activity and report this to the associated bank as soon as possible. Refer to the Federal Trade Commission’s Identity Theft: A Recovery Plan booklet for assistance and step by step instructions on how to monitor your credit, obtain free copies of your credit report and, if necessary, place freezes on your credit.
How could this impact you?
Whenever data breaches like this occur, scams will likely increase. As always, please:
- Do not respond or provide information to unsolicited phone calls or emails
- Visit a legitimate website to retrieve contact information for any company you are trying to reach
- Never provide sensitive information to a person you do not know, to a company that you are unfamiliar with or to a “friend” that you have never met in person or just recently met online