Special Agents of the Federal Bureau of Investigation (FBI) today arrested and charged Paige A. Thompson, also known on social media as “erratic”, for illegally accessing personal information stored by CapitalOne Financial Corporation that is associated with more than a hundred million Americans and six million Canadians.
The FBI alleges that between approximately March 12th, 2019 and July 17th, 2019, Thompson “intentionally accessed a computer without authorization, to wit, a computer containing information [namely, credit card applications] belonging to Capital One Financial Corporation, and thereby obtained information contained in a financial record of a financial institution and of a card issuer as defined in Section 1602 of Title 15, and information from a protected computer.”
“The intrusion occurred through a misconfigured web application firewall that enabled access to the data,” a statement from the U.S. Attorney’s office explained. “On July 17th, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19th, 2019, that there had been an intrusion into its data, Capital One contacted the FBI.”
Thompson’s alleged actions violate Title 18 of the United States Code, specifically Sections 1030(a)(2)(A) and (C), and (c)(2)(A) and (B)(iii).
At a hearing in Western Washington District Court before Magistrate Judge Mary Alice Theiler, Defendant Thompson was ordered held without bail due to an alleged risk of flight. Arraignment is scheduled for August 1st.
“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” CapitalOne said in a statement. “This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Chairman and CEO of CapitalOne.
“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
140,000 Social Security numbers were compromised, along with nearly 80,000 bank account numbers, according to CapitalOne’s statement.
The bank published the following Q&A as part of its statement.
What was the vulnerability that led to this incident?
We believe that a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure. When this was discovered, we immediately addressed the configuration vulnerability and verified there are no other instances in our environment. Among other things, we also augmented our routine automated scanning to look for this issue on a continuous basis.
How did you discover the incident?
Like many companies, we have a responsible disclosure program which provides an avenue for ethical security researchers to report vulnerabilities directly to us. The configuration vulnerability was reported to us by an external security researcher through our Responsible Disclosure Program on July 17th, 2019. We then began our own internal investigation, leading to the July 19th, 2019, discovery of the incident.
When did this occur?
On July 19th, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers. This occurred on March 22th and 23rd, 2019.
Was the data encrypted and/or tokenized?
We encrypt our data as a standard. Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data. However, it is also our practice to tokenize select data fields, most notably Social Security numbers and account numbers. Tokenization involves the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data. Tokenized data remained protected.
Did this vulnerability arise because you operate on the cloud?
This type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data center environments. The speed with which we were able to diagnose and fix this vulnerability, and determine its impact, was enabled by our cloud operating model.
What are the expected financial impacts of the incident?
We expect the incident to generate incremental costs of approximately $100 to $150 million in 2019. Expected costs are largely driven by customer notifications, credit monitoring, technology costs, and legal support. We expect to accrue the costs for customer notification and credit monitoring in 2019. The expected incremental costs related to the incident will be separately reported as an adjusting item as it relates to the Company’s financial results.
For years we have invested heavily in cybersecurity and we will continue to do so. Beyond the adjusting item in 2019, we expect any incremental investments in cybersecurity to be funded within our current budget.
The Company carries insurance to cover certain costs associated with a cyber risk event. This insurance is subject to a $10 million deductible and standard exclusions and carries a total coverage limit of $400 million. The timing of recognition of costs may differ from the timing of recognition of any insurance reimbursement. Gains on insurance recoveries associated with the incident will also be treated as an adjusting item as it relates to the Company’s financial results.
The Company is affirming its existing efficiency guidance, which in all cases is net of adjustments. The Company expects to achieve modest improvement in 2019 annual operating efficiency ratio compared to the 2018 annual operating efficiency ratio.
Relative to 2019, the Company also continues to expect modest improvement in 2020 annual operating efficiency ratio. And the Company continues to expect annual operating efficiency ratio to be 42 percent in 2021. The Company continues to expect that improvements in operating efficiency ratio will also drive significant improvement in annual total efficiency ratio in 2021.
Thompson was arrested at her home, according to the FBI’s sworn affidavit. A total of five individuals were present at the time the FBI executed its search warrant. Digital devices belonging to Thompson were seized as part of the search that contain incriminating information about Thompson’s activities.
In a June 18th series of messages obtained by the FBI, Thompson stated her intent to disseminate the information that she had stolen:
“I’ve basically strapped myself with a bomb vest… dropping capitol [sic] ones [sic] dox and admitting it… I wanna distribute those buckets i think first… there[‘s] ssns [Social Security Numbers] with full name and dob [Date of Birth].”
Thompson’s possible motivation for taking the credit card application information is not discussed in the complaint. According to federal court records, a public defender has been appointed for Thompson. She faces up to five years in prison and a fine of $250,000. The case number is 2:19-mj-00344-MAT.