Capital One has announced a major breach of customers’ personal data, affecting over 100 million Americans and a further six million in Canada.
The financial institution blamed “unauthorized access by an outside individual” who has been arrested by the FBI and is now in custody.
“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” the firm explained.
“This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
However, the trove also included 140,000 Social Security numbers, 80,000 linked bank account numbers and one million Canadian Social Insurance numbers.
The bank blamed a “configuration vulnerability” exploited by the suspected attacker, but said “this type of vulnerability is not specific to the cloud.
“The elements of infrastructure involved are common to both cloud and on-premises data center environments,” it added.
In fact, according to a statement from the US Department of Justice, it appears as if the individual is “a former Seattle technology company software engineer” at a cloud computing provider who posted the details of the breach on GitHub.
Reports suggest the person in question, Paige Thompson, worked at Amazon Web Services.
“The intrusion occurred through a misconfigured web application firewall that enabled access to the data,” it revealed.
“On July 17, 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft. After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI.”
The revelation that a tech insider stole highly sensitive customer data from a client should not affect the overall migration to public cloud environments, according to Igor Baikalov, chief scientist at Securonix.
“Capital One is a standout in the financial institutions community by going public cloud while most of its peers hedged the risk by implementing additional security controls around their private clouds,” he argued.
“This fact alone shouldn't be considered a setback for the adoption of public cloud. It should rather be viewed as another harsh reminder of the importance of third-party security and insider threat programs for both providers and consumers of public cloud services."