This week, news reports broke of a cyber-attack on financial services company, Capital One, which led to the data theft of around 106 million individuals.
In a statement, the company said:
“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” the statement read.
“This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income,” it added.
Authorities managed to detain an individual suspected of being behind the hack, which news reports reveal as a woman who used to work for Amazon Web Services.
According to the US Justice Department, the arrested woman is 33-year-old Paige Thompson from Seattle. Upon her arrest two days ago, the former technology software engineer was charged with IT fraud and computer abuse for allegedly breaking into Capital One systems and stealing data.
Thompson made her initial court appearance at the US District Court in Seattle on Monday 29th July, where she was ordered “detained pending a hearing on August 1st,” a Reuters report says.
In the wake of the breach going public, Capital One apologised while claiming to have “fixed the configuration vulnerability”.
“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate,” the company said in a statement.
As reported by Computer Weekly, Igor Baikalov of Securonix said:
“The perpetrator of this breach was identified unusually quickly and turned out to be a former employee of Amazon Web Services, a cloud computing company contracted by Capital One.
“Capital One is a standout in the financial institutions community by going public cloud while most of its peers hedged the risk by implementing additional security controls around their private clouds.
“This fact alone should not be considered a setback for the adoption of public cloud. It should, rather, be viewed as another harsh reminder of the importance of third-party security and insider threat programmes for both providers and consumers of public cloud services.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.