Capital One Financial Corp. has indicated that personal information, such as names, addresses, phone numbers and credit scores of about 100 million of its customers located in the U.S. plus some six million people in Canada have been obtained by a hacker. The company was aware of the hack on July 19, 2019 but the information was not released until July 30.
According to the U.S. Justice Department an individual called Paige Thompson, who is a former Seattle technology company software engineer, has been detained on a criminal complaint. This relates to computer fraud and abuse for hacking into Capital One Financial Corp.’s stored data, meaning that Thompson is the prime suspect.
Commenting on the data breach, Will LaSala, Director Security Solutions, Security Evangelist, OneSpan told Digital Journal: “Systems and network engineers have access to all kinds of personal data in most systems, and it only takes one bad actor to shine light on a huge potential security hole. In most organisations, the people that develop and code the systems have access to underlying controls that can be modified to meet a malicious insider’s nefarious needs.”
In terms of a way forwards, he recommends: “Having proper DevSecOps, processes and procedures in place will help organisations analyse what is happening and detect the necessary actions to stop bad actors in their tracks, before they can cause huge damage. But processes alone are sometimes not enough, and this is where technologies that automatically harden backend and client side systems can help organisations face insider attacks head on.”
In terms of how the data breach occurred, it appears that hacker was able to gain access to financial and personal data via a misconfigured web application firewall.
In a statement, a spokesperson from Capital One notes: “Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.”