Capital One settles biggest data breach in history.
Capital One has agreed to pay $190 million to settle a class-action lawsuit filed by customers of the bank. Hacker, Paige Thomas, stole the personal data of nearly 100 million people in 2019. Thompson, in her thirties, is a a former Seattle technology company software engineer Amazon (AMZN) Web Services. U.S. prosecutors stated she used knowledge from her previous employment at Amazon along with scripts to scan for Amazon Web Service (AWS) servers where “web application firewalls had been misconfigured.”
Thompson was accused of ultimately breaking into a Capital One server and gaining access to “140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers, in addition to an undisclosed number of people’s names, addresses, credit scores, credit limits, balances, and other information,” according to the bank and the U.S. Department of Justice (DOJ).
The Department of Justice court filing indicated that the former software engineer’s plan to find misconfigured web application firewalls is what led her to the information. She then bragged about the breach, attempting to share the information she obtained with others online. “The intrusion occurred through a misconfigured web application firewall that enabled access to the data,” The DOJ said.
Thompson specifically posted on the information sharing site GitHub about her theft, and on July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility of it being the victim of a data breach.
As soon as the company was tipped off, Capital One contacted the Federal Bureau of Investigations (FBI), and cyber investigators were able to subsequently identify Thompson as the person who had posted the comments. Upon executing a search warrant of her residence, investigators seized electronic storage devices containing a copy of the stolen data.
“Capital One quickly alerted law enforcement to the data theft – allowing the FBI to trace the intrusion,” said U.S. Attorney Moran at the time, adding, “I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.”
New charges were against Thompson in July 2021, postponing her trial. These included “six counts of computer fraud and abuse, and one count of access device fraud,” according to court documents. The charges came as cyber investigators made more headway into analyzing data they seized.
For its part, Capital One’s settlement will cover the 98 million customers affected by the breach. Despite the deal, the banking company and its cloud services provider, Amazon Web Services, have denied liability. They agreed to settle, they indicated, “in the interest of avoiding the time, expense and uncertainty of continued litigation,” according to their filing in federal court in the Eastern District of Virginia. In 2020, Capital One also agreed to pay $80 million to settle regulators’ claims who had accused it of not being equipped with proper cybersecurity procedures as it made the switch to cloud storage technology.
Thompson’s new trial date has been set for March 2022.