Who's in Your Wallet? Capital One Faces Post-Hack Backlash

Photo Credit: MATT CAMPBELL/EPA-EFE/Shutterstock
July 30, 2019

On Tuesday, share prices in Capital One tumbled by close to 8 percent following news that the credit card company suffered a massive hack, leaving the user information of more than 100 million Americans and 6 million Canadians vulnerable.

But investors aren't the only ones frustrated. With this announcement coming just days after a settlement of the 2017 Equifax data breach, advocates are pointing to this latest hack as just further evidence of why the U.S. should establish federal privacy legislation.

By Tuesday morning, a Connecticut Capital One customer had already filed a class-action complaint against the company for failing to protect consumer data.

New York Attorney General Letitia James also announced that her office will be investigating the hack. "It is becoming far too commonplace that financial institutions are susceptible to hacks, begging the questions: Why do these breaches continue to take place? And are companies doing enough to prevent future data breaches?" she said in a statement.

On Monday, the FBI arrested 33-year-old Paige Thompson in connection with the hack. Thompson is a former engineer for Amazon Web Services, the bureau confirmed to Cheddar.

Thompson's professional background raises concerns over the "insider threat" — a cybersecurity term for attacks orchestrated by those from within a company — and turned eyes toward Amazon Web Services, the cloud computing service used by Capital One. Amazon did not respond to a request for comment from Cheddar, but the company told the New York Times that it had no evidence that its cloud services were compromised.

"The people who are developing these systems — or working with them — are going to have intimate knowledge of them, and understand the code and the vulnerabilities. That's not something, when they leave an organization, they forget," Alex Hamerstone, a governance, risk, and compliance lead that the information security firm TrustedSec, told Cheddar.

"So many organizations have had issues like this. And really, from a consumer standpoint, I don't know if people really take that into consideration anymore," said Hamerstone. "There seems to be almost a numbness from a lot of consumers to this."

The company said that the largest share of data made vulnerable was information typically collected by Capital One when consumers and small businesses apply for a credit card. Thompson was able to gain access to names, addresses, and phone numbers, among other data collected during credit card applications made as early as 2005.

Thompson was also able to access customer status data, credit scores, limits, payment history, and some transaction history.

Capital One said that about 140,000 Social Security numbers were also threatened, as well as about 80,000 linked bank account numbers. The company says that no credit card data was compromised and that 99 percent of Social Security numbers weren't threatened.

An indictment filed by FBI investigators based in Seattle said Thompson hacked Capital One's systems and accessed personal data at some point between March and July of this year, and took advantage of a firewall vulnerability in its systems. The court documents say that Thompson posted on social media that she had access to Capital One's information and that she knew she had violated the law.

Capital One was made aware of the vulnerability by a "white hat" hacker, or ethical hacker, who reported the issue to the company by email in July. After the company contacted the FBI, officials were able to identify Thompson, and then secured a warrant to search her house, where they found copies of the data.