NPI's Cascadia Advocate

Offering commentary and analysis from Washington, Oregon, and Idaho, The Cascadia Advocate provides the Northwest Progressive Institute's uplifting perspective on world, national, and local politics.

Monday, July 29th, 2019

FBI arrests Seattle woman for breaching CapitalOne’s servers; 100 million+ affected

Spe­cial Agents of the Fed­er­al Bureau of Inves­ti­ga­tion (FBI) today arrest­ed and charged Paige A. Thomp­son, also known on social media as “errat­ic”, for ille­gal­ly access­ing per­son­al infor­ma­tion stored by Cap­i­talOne Finan­cial Cor­po­ra­tion that is asso­ci­at­ed with more than a hun­dred mil­lion Amer­i­cans and six mil­lion Canadians.

The FBI alleges that between approx­i­mate­ly March 12th, 2019 and July 17th, 2019, Thomp­son “inten­tion­al­ly accessed a com­put­er with­out autho­riza­tion, to wit, a com­put­er con­tain­ing infor­ma­tion [name­ly, cred­it card appli­ca­tions] belong­ing to Cap­i­tal One Finan­cial Cor­po­ra­tion, and there­by obtained infor­ma­tion con­tained in a finan­cial record of a finan­cial insti­tu­tion and of a card issuer as defined in Sec­tion 1602 of Title 15, and infor­ma­tion from a pro­tect­ed computer.”

“The intru­sion occurred through a mis­con­fig­ured web appli­ca­tion fire­wall that enabled access to the data,” a state­ment from the U.S. Attor­ney’s office explained. “On July 17th, 2019, a GitHub user who saw the post alert­ed Cap­i­tal One to the pos­si­bil­i­ty it had suf­fered a data theft. After deter­min­ing on July 19th, 2019, that there had been an intru­sion into its data, Cap­i­tal One con­tact­ed the FBI.”

Thomp­son’s alleged actions vio­late Title 18 of the Unit­ed States Code, specif­i­cal­ly Sec­tions 1030(a)(2)(A) and (C), and (c)(2)(A) and (B)(iii).

At a hear­ing in West­ern Wash­ing­ton Dis­trict Court before Mag­is­trate Judge Mary Alice Theil­er, Defen­dant Thomp­son was ordered held with­out bail due to an alleged risk of flight. Arraign­ment is sched­uled for August 1st.

“The largest cat­e­go­ry of infor­ma­tion accessed was infor­ma­tion on con­sumers and small busi­ness­es as of the time they applied for one of our cred­it card prod­ucts from 2005 through ear­ly 2019,” Cap­i­talOne said in a state­ment. “This infor­ma­tion includ­ed per­son­al infor­ma­tion Cap­i­tal One rou­tine­ly col­lects at the time it receives cred­it card appli­ca­tions, includ­ing names, address­es, zip codes/postal codes, phone num­bers, email address­es, dates of birth, and self-report­ed income.”

“While I am grate­ful that the per­pe­tra­tor has been caught, I am deeply sor­ry for what has hap­pened,” said Richard D. Fair­bank, Chair­man and CEO of CapitalOne.

“I sin­cere­ly apol­o­gize for the under­stand­able wor­ry this inci­dent must be caus­ing those affect­ed and I am com­mit­ted to mak­ing it right.”

140,000 Social Secu­ri­ty num­bers were com­pro­mised, along with near­ly 80,000 bank account num­bers, accord­ing to Cap­i­talOne’s statement.

The bank pub­lished the fol­low­ing Q&A as part of its statement.

What was the vul­ner­a­bil­i­ty that led to this incident?
We believe that a high­ly sophis­ti­cat­ed indi­vid­ual was able to exploit a spe­cif­ic con­fig­u­ra­tion vul­ner­a­bil­i­ty in our infra­struc­ture. When this was dis­cov­ered, we imme­di­ate­ly addressed the con­fig­u­ra­tion vul­ner­a­bil­i­ty and ver­i­fied there are no oth­er instances in our envi­ron­ment. Among oth­er things, we also aug­ment­ed our rou­tine auto­mat­ed scan­ning to look for this issue on a con­tin­u­ous basis.

How did you dis­cov­er the incident?
Like many com­pa­nies, we have a respon­si­ble dis­clo­sure pro­gram which pro­vides an avenue for eth­i­cal secu­ri­ty researchers to report vul­ner­a­bil­i­ties direct­ly to us. The con­fig­u­ra­tion vul­ner­a­bil­i­ty was report­ed to us by an exter­nal secu­ri­ty researcher through our Respon­si­ble Dis­clo­sure Pro­gram on July 17th, 2019. We then began our own inter­nal inves­ti­ga­tion, lead­ing to the July 19th, 2019, dis­cov­ery of the incident.

When did this occur?
On July 19th, 2019, we deter­mined there was unau­tho­rized access by an out­side indi­vid­ual who obtained cer­tain types of per­son­al infor­ma­tion relat­ing to peo­ple who had applied for cred­it card prod­ucts and Cap­i­tal One cred­it card cus­tomers. This occurred on March 22th and 23rd, 2019.

Was the data encrypt­ed and/or tokenized?
We encrypt our data as a stan­dard. Due to the par­tic­u­lar cir­cum­stances of this inci­dent, the unau­tho­rized access also enabled the decrypt­ing of data. How­ev­er, it is also our prac­tice to tok­enize select data fields, most notably Social Secu­ri­ty num­bers and account num­bers. Tok­eniza­tion involves the sub­sti­tu­tion of the sen­si­tive field with a cryp­to­graph­i­cal­ly gen­er­at­ed replace­ment. The method and keys to unlock the tok­enized fields are dif­fer­ent from those used to encrypt the data. Tok­enized data remained protected.

Did this vul­ner­a­bil­i­ty arise because you oper­ate on the cloud?
This type of vul­ner­a­bil­i­ty is not spe­cif­ic to the cloud. The ele­ments of infra­struc­ture involved are com­mon to both cloud and on-premis­es data cen­ter envi­ron­ments. The speed with which we were able to diag­nose and fix this vul­ner­a­bil­i­ty, and deter­mine its impact, was enabled by our cloud oper­at­ing model.

What are the expect­ed finan­cial impacts of the incident?
We expect the inci­dent to gen­er­ate incre­men­tal costs of approx­i­mate­ly $100 to $150 mil­lion in 2019. Expect­ed costs are large­ly dri­ven by cus­tomer noti­fi­ca­tions, cred­it mon­i­tor­ing, tech­nol­o­gy costs, and legal sup­port. We expect to accrue the costs for cus­tomer noti­fi­ca­tion and cred­it mon­i­tor­ing in 2019. The expect­ed incre­men­tal costs relat­ed to the inci­dent will be sep­a­rate­ly report­ed as an adjust­ing item as it relates to the Com­pa­ny’s finan­cial results.

For years we have invest­ed heav­i­ly in cyber­se­cu­ri­ty and we will con­tin­ue to do so.  Beyond the adjust­ing item in 2019, we expect any incre­men­tal invest­ments in cyber­se­cu­ri­ty to be fund­ed with­in our cur­rent budget.

The Com­pa­ny car­ries insur­ance to cov­er cer­tain costs asso­ci­at­ed with a cyber risk event. This insur­ance is sub­ject to a $10 mil­lion deductible and stan­dard exclu­sions and car­ries a total cov­er­age lim­it of $400 mil­lion. The tim­ing of recog­ni­tion of costs may dif­fer from the tim­ing of recog­ni­tion of any insur­ance reim­burse­ment. Gains on insur­ance recov­er­ies asso­ci­at­ed with the inci­dent will also be treat­ed as an adjust­ing item as it relates to the Com­pa­ny’s finan­cial results.

The Com­pa­ny is affirm­ing its exist­ing effi­cien­cy guid­ance, which in all cas­es is net of adjust­ments. The Com­pa­ny expects to achieve mod­est improve­ment in 2019 annu­al oper­at­ing effi­cien­cy ratio com­pared to the 2018 annu­al oper­at­ing effi­cien­cy ratio.

Rel­a­tive to 2019, the Com­pa­ny also con­tin­ues to expect mod­est improve­ment in 2020 annu­al oper­at­ing effi­cien­cy ratio. And the Com­pa­ny con­tin­ues to expect annu­al oper­at­ing effi­cien­cy ratio to be 42 per­cent in 2021. The Com­pa­ny con­tin­ues to expect that improve­ments in oper­at­ing effi­cien­cy ratio will also dri­ve sig­nif­i­cant improve­ment in annu­al total effi­cien­cy ratio in 2021.

Thomp­son was arrest­ed at her home, accord­ing to the FBI’s sworn affi­davit. A total of five indi­vid­u­als were present at the time the FBI exe­cut­ed its search war­rant. Dig­i­tal devices belong­ing to Thomp­son were seized as part of the search that con­tain incrim­i­nat­ing infor­ma­tion about Thomp­son’s activities.

In a June 18th series of mes­sages obtained by the FBI, Thomp­son stat­ed her intent to dis­sem­i­nate the infor­ma­tion that she had stolen:

“I’ve basi­cal­ly strapped myself with a bomb vest… drop­ping capi­tol [sic] ones [sic] dox and admit­ting it… I wan­na dis­trib­ute those buck­ets i think first… there[‘s] ssns [Social Secu­ri­ty Num­bers] with full name and dob [Date of Birth].”

Thomp­son’s pos­si­ble moti­va­tion for tak­ing the cred­it card appli­ca­tion infor­ma­tion is not dis­cussed in the com­plaint. Accord­ing to fed­er­al court records, a pub­lic defend­er has been appoint­ed for Thomp­son. She faces up to five years in prison and a fine of $250,000. The case num­ber is 2:19-mj-00344-MAT.

Adjacent posts

  • Enjoyed what you just read? Make a donation

    Thank you for read­ing The Cas­ca­dia Advo­cate, the North­west Pro­gres­sive Insti­tute’s jour­nal of world, nation­al, and local politics.

    Found­ed in March of 2004, The Cas­ca­dia Advo­cate has been help­ing peo­ple through­out the Pacif­ic North­west and beyond make sense of cur­rent events with rig­or­ous analy­sis and thought-pro­vok­ing com­men­tary for more than fif­teen years. The Cas­ca­dia Advo­cate is fund­ed by read­ers like you and trust­ed spon­sors. We don’t run ads or pub­lish con­tent in exchange for money.

    Help us keep The Cas­ca­dia Advo­cate edi­to­ri­al­ly inde­pen­dent and freely avail­able to all by becom­ing a mem­ber of the North­west Pro­gres­sive Insti­tute today. Or make a dona­tion to sus­tain our essen­tial research and advo­ca­cy journalism.

    Your con­tri­bu­tion will allow us to con­tin­ue bring­ing you fea­tures like Last Week In Con­gress, live cov­er­age of events like Net­roots Nation or the Demo­c­ra­t­ic Nation­al Con­ven­tion, and reviews of books and doc­u­men­tary films.

    Become an NPI mem­ber Make a one-time donation

  • NPI’s essential research and advocacy is sponsored by: