Capital One employees reportedly alerted management about security flaws before the massive hack that exposed the data of 106 million customers.
Paige Thompson, 33, was arrested last month after the FBI said she obtained personal information from more than 100 million Capital One credit applications.
But before that huge hack, employees of the company came forward with concerns that they were understaffed, there were problems with the bank’s internal auditors, human-resources department and other senior executives, The Wall Street Journal reported.
Sources claimed the cybersecurity unit has also seen senior leaders and staffers come and go, and during 2018 alone, about a third of its employees left the team.
According to the sources, routine cybersecurity measures that would help protect the company sometimes were overlooked.
But a Capital One spokeswoman has claimed that the company is ‘constantly developing and adapting’ to ‘an ever-changing threat landscape’.
Capital One (file image) employees reportedly alerted management about security flaws before the massive hack that exposed the data of 106 million customers
Some cyber employees were also concerned that vulnerabilities in Capital One’s firewalls weren’t getting fixed fast enough, one source told the Journal.
The spokeswoman went on to say that Capital One scans for ‘configuration vulnerabilities…and we address them where they’re found’.
Thompson, a transgender woman, was arrested in July in connection to the Capital One hack.
A memorandum filed Wednesday by the US Attorney’s Office in Seattle said servers found in Thompson’s bedroom contained data stolen from over 30 other companies, educational institutions and other entities.
‘The government’s investigation over the last two weeks has revealed that Thompson’s theft of Capital One’s data was only one part of her criminal conduct,’ the document states.
Prosecutors said much of that data ‘varies significantly in both type and amount’ but did not appear to contain personal identifying information.
However, they admit they’re still working to identify all of the organizations specifically affected.
Paige Thompson, 33, was arrested last month after the FBI said she obtained personal information from more than 100 million Capital One credit applications. There is no evidence the data was sold or distributed to others
A portion of that 100 million figure – 140,000 – also had their social security numbers and 80,000 had their credit card details accessed. This Meetup page was linked to Thompson where she went by the screen name ‘erratic’
‘The government expects to add an additional charge against Thompson based upon each such theft of data, as the victims are identified and notified,’ prosecutors said.
The documents fail to list the names of any of the additional companies Thompson is said to have hacked, however its believed Vodaphone, Unicredit, Ford, Michigan State University and the Ohio Department of Transportation are among those affected, TechCrunch reported.
In addition to the hacking charges, the documents – which recommend Thompson be detained – also include accusations of three counts of stalking, threats to ‘shoot-up’ a company’s office and threat to commit ‘suicide by cop’.
The US government noted that Thompson’s past behavior appears to be related to ‘a significant history of mental health problems’.
AMAZON DENIES BLAME FOR CAPITAL ONE HACK
Amazon was quick to issue a statement after the breach became public to say it was not its cloud’s fault.
The Capital One data that was taken was being stored on its Amazon Web Services cloud.
However, both Amazon and Capital One say that it was a fault in Capital One’s systems which allowed Thompson to access it.
‘AWS was not compromised in any way and functioned as designed.
‘The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure.
‘As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud,’ a spokesman told DailyMail.com.
Capital One said in its announcement that its infrastructure is to blame.
‘This type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data center environments.
‘The speed with which we were able to diagnose and fix this vulnerability, and determine its impact, was enabled by our cloud operating model,’ Capital One said.
Though AWS insists its systems are not to blame, the breach stokes fears that data it was storing could be taken because other systems aren’t up to scratch.
Thompson was originally arrested for breaking into the Capital One’s systems to steal the addresses, phone numbers and names of 100 million people in the US.
A portion of that figure – 140,000 – also had their social security numbers and 80,000 had their credit card details accessed.
Thompson allegedly pulled it off between March and July of this year by breaking into the bank’s servers through a misconfiguration in its firewall.
The data was being stored on Amazon’s Web Services cloud but Amazon insists it is not to blame for the hack and that she exploited Capital One’s systems to access it.
Capital One admits that there was a fault in its infrastructure, and not Amazon’s, which led to the breach.
After allegedly stealing the data, Thompson left authorities a trail of breadcrumbs, posting online about the hack so much that other hackers warned her she was facing jail.
Her online postings about the hack were reported to Capital One on July 17 in an email from a white hat hacker who had seen the information on a website called GitHub alerted the bank to it in an email.
What Thompson’s motives were remain unclear. The bank said in a statement that it does not believe the hacker’s intention was to steal people’s money.
After her arrest, she told investigators she didn’t sell or share any of the stolen data. In the new court documents, US officials said they haven’t found any evidence to suggest that Thompson lied, which might reduce the extent of the 30 plus breaches of which she’s accused.
On social media, she posted about her desire to commit suicide and complained about her boyfriend being deported to Greece in spite of his ‘AWS principality’.
Capital One and the FBI announced the hack on July 29 but said no one’s money was taken.
‘The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,’ a statement reads.
‘This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
‘Safeguarding applicant and customer information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so.
In a memorandum filed Wednesday, the US Attorney’s Office in Seattle said servers found in Thompson’s bedroom contained data stolen from over 30 other companies, educational institutions and other entities
‘We will incorporate the learnings from this incident to further strengthen our cyber defenses.’
According to the FBI, Thompson posted information she gleaned from the hack onto the GitHub website.
Thompson is also alleged to have posted messages on social media admitting to the hacks while knowing that what she was doing was illegal.
She made her identity known by failing to properly encrypt her IP address which left her full name in it.
On July 17, an anonymous internet user sent an email to Capital One indicating that someone was posting leaked data on GitHub.
The email contained a link whose address included Thompson’s full name – ‘paigeadelethompson’.
Authorities say that they became convinced that Thompson was the owner of the GitHub page.
The page includes a number of server list IP addresses that match the same addresses used by the hacker who broke into Capital One, according to the FBI.
The FBI says that it also found a Meetup page used by Thompson which contains a link inviting others to a Slack chat.
In that chat, Thompson, who went by the alias ‘erratic,’ admitted to others that she hacked the data and was looking for an online location to store it.
HOW DID SHE DO IT?
Capital One said the hacker exploited a ‘misconfiguration’ in the firewall of its infrastructure which allowed her to gain access.
It did not say specifically what she did or how she knew where to look for the vulnerability.
The arrest complaint however, reveals she was able to open folders from her server by breaking through the firewall.
‘A firewall misconfiguration permitted commands to reach and be executed by that server, which enabled access to folders or buckets of data from Capital One’s storage space at the Cloud Computing Company’ (AWS), it read.
Capital One assured customers that it has now fixed the problem and says it will now routinely scan to prevent a similar attack.
It remains unclear how Thompson knew to hack the systems but both Amazon and Capital One say it was a vulnerability within the latter’s systems which caused the problem.
On June 27, one Meetup user chatting with ‘erratic’ wrote: ‘Sketchy s***…don’t go to jail plz.’
To which ‘erratic’ replied: ‘I wanna get it off my server that’s why I’m archiving all of it lol.’
FBI investigators also tracked down a Twitter account alleged to be Thompson’s.
The arrest affidavit contains a screenshot of a Twitter chat by ‘erratic’ in which the user admits: ‘I’ve basically strapped myself with a bomb vest, f*****g dropping capitol ones dox and admitting it…I wanna distribute those buckets i think first.’
The arrest affidavit filed by the FBI states that ‘buckets’ is synonymous with file folders.
By ‘distributing buckets,’ Thompson allegedly meant that she sought to ‘disseminate data stolen from victim entities, starting with Capital One,’ according to the FBI.
According to Thompson’s resume, she worked at a number of Seattle-area tech firms, including Amazon, ATG Stores, and Connect XYZ.
Her last known place of employment was at Amazon, where she worked as a systems engineer from May 2015 until September 2016.
Thompson’s Twitter account reveals a troubled woman who speaks of her desire to undergo doctor-assisted suicide in Denmark.
She also tweeted that her ‘boy’ was deported to Greece, though it is unclear what she meant.
Thompson writes: ‘look im not a stupid person but im hopeless on my own because my emotions are very hard to control i need someone i can trust and my boy got deported to greece despite his worthy MIT/aws/Ec2-security principality.’
MIT presumably is a reference to the Massachusetts Institute of Technology.
This is the second hack for Capital One in two years.
In July 2017, Capital One sent letters to an unspecified number of customers informing them that their data may have been compromised by one of the company’s employees.
Thompson remains in custody in Seattle
Capital One said in the letter that it had fired the employee and notified law enforcement.
The lender is not the only company that has had to deal with lapses in data protection and customer privacy.
Last month it was announced that Equifax, the credit-reporting company, will pay up to a record $650million to settle US federal and state probes into a massive 2017 data breach of personal information.
The largest-ever settlement for a data breach draws to a close multiple probes into Equifax by the Federal Trade Commission, the Consumer Financial Protection Board and nearly all state attorneys general.
It also resolves pending class-action lawsuits against the company.
‘This company’s ineptitude, negligence, and lax security standards endangered the identities of half the US population,’ New York Attorney General Letitia James said in a statement.
Equifax, one of three major credit-reporting companies, disclosed in 2017 that a data breach had compromised the personal information, including Social Security numbers, of 143 million Americans.
The scandal upended the company, which saw the exit of its chief executive, as its security practices and slow speed in disclosing the breach were challenged.
Washington policymakers questioned how private companies could amass so much personal data, setting off efforts to bolster consumers’ ability to protect and control their information.
Under the settlement, the company will establish a $300million restitution fund for harmed consumers that could climb to $425million depending on its use.
Consumers eligible for the fund must submit claims showing they were fraud victims or set up credit-monitoring services following the breach.
Equifax will also pay a $175million fine to the states and $50million to the CFPB.