Self-reported Income Is Interesting For Hackers Everywhere. The Latest Example Is From The US.
Two weeks after the biggest data breach in Bulgaria so far, we see that no one is completely protected against hacker attacks. The personal and financial data of over 100m citizens of the US and Canada has just been compromised after an engineer managed to obtain access to the files of US bank One Capital, reports Reuters.
According to the US Attorney’s office, the Capital One hacker was able to gain access to the data through a misconfigured web application firewall.
To a certain extent, it reminds of the data leakage of the Bulgarian tax agency in the middle of July, when the data of almost all individuals in Bulgaria who have filed a tax declaration in the past ten years, were hacked. The hack in Bulgaria was performed via a simple SQL injection methodology (read more here). As the investigation of the One Capital case is ongoing, there’s not enough information on the complexity of the hack.
+++ The biggest data breach in Bulgaria and all we know about the cyberattack so far summarized +++
100m affected, $100m damage
Based on One Capital’s analysis the event affected approximately 100m individuals in the US and another 6m in Canada. “The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products between 2005 and early 2019,” the company announced. The leaked information included personal information Capital One routinely collects at the time it receives credit card applications – including names, addresses, postal codes, phone numbers, email addresses, dates of birth, and self-reported income. According to the bank, no credit card account numbers or log-in credentials were compromised. As much as 99% of the social security numbers were not compromised. Yet 140k numbers of One Capital’s credit card users were compromised too.
But that’s not all. Beyond the credit card application data, the hacker has also obtained portions of credit card customer data, including customer status data, credit scores, credit limits, balances, payment history. Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018 were also exposed.
The incident is expected to cost up to $150m in 2019, mainly because of customer notifications, credit monitoring, and legal support, Capital One said.
Caught on GitHub
One person, according to Reuters, has been arrested. The suspect, a 33-year-old former Seattle technology company software engineer identified as Paige Thompson, made her initial appearance in U.S. District Court in Seattle on Monday, the U.S. Attorney’s office said. Notice of Attorney’s Office says that Capital One was alerted about the breach by a GitHub user who spotted another user posting about it on the site.
Meanwhile in Bulgaria
Two weeks after the data breach in Bulgaria, in which the data of close to 5m individuals was exposed, there’s no clarity who and why hacked the system. After a 20-year-old suspect was arrested and then released due to lack of evidence, now the manager of the US-Bulgarian cybersecurity firm he works for, is arrested. Investigations continue.