back to article Capital One gets Capital Done: Hacker swipes personal info on 106 million US, Canadian credit card applicants

A hacker raided Capital One's cloud storage buckets and stole personal information on 106 million credit card applicants in America and Canada. The swiped data includes 140,000 US social security numbers and 80,000 bank account numbers, we're told, as well as one million Canadian social insurance numbers, plus names, addresses …

  1. Synkronicity

    "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right"

    Read: a worthless credit monitoring service you already got for free from any number of data breaches you've been previously exposed to. The lawyers, regulators, and auditors all get their hush money whilst society moves on to the next data breach learning nothing.

    Much like our other daily occurrence: mass shootings.

    1. Dan 55 Silver badge

      Our thoughts and prayers go out to the credit card holders.

      1. fobobob

        "Why do we keep receiving boxes full of moldy tater-tots and pears?"

  2. elDog

    "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right"

    When the CEOs and others in the chain-of-command start to hear the clang of the jail doors behind them, then they will understand the word "worrry".

    Capitol One has long been one of the worst usurers in the US. Maybe they could just offer total debt forgiveness to all their customers as a path towards redemption.

    1. Chairman of the Bored

      Crapital One & usury

      A good point; this organization is a den of thieves. Problem is that this whole episode squeezes their customers even harder, the firm itself will be fine.

      Book recommendation: Broke, USA by Rivlin.

      $0.001 question- what am I going to do with all the free credit monitoring services I've been "given?". I've got three simultaneous BS services now, from three breaches.

      1. NetBlackOps

        Re: Crapital One & usury

        Better than what I got from the VA and OPM breaches which was nada. Capital 1 will be my first for that even though they denied me.

  3. quartzz

    "Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised." -- they almost sound like they are sure about that.

    1. Yet Another Anonymous coward Silver badge

      99 percent of Social Security numbers were not compromised

      Ie the 99% of the population that weren't customers.

      It's like asking the court to consider the 99.999999% of the world population that weren't murdered by my client

  4. Brian Miller

    Grab data, post data, alert world+dog

    "I've basically strapped myself with a bomb vest, fucking dropping Capital Ones [sic] dox and admitting it."

    Yeah, she done blew herself up good. Yeesh. I have no idea what the point is to crap like this. Notoriety? In the slammer? Her alias was "Erratic", and boy, does that one fit.

    1. Phil Kingston

      Re: Grab data, post data, alert world+dog

      I think the real takeaway here is that even the FBI managed to track down someone who "used her full real name as the account name". You can't get much past them these days.

      1. Halfmad

        Re: Grab data, post data, alert world+dog

        I wonder if her details were in the bucket of data too, would have meant they have the perp and their details in one handy spot.

  5. Anonymous Coward
    Anonymous Coward

    Canadian Sinners

    Are numbered - probably the deep state, wouldn't you know. I've always wondered how they know what I'm partial to. 999,999,999 choices.

  6. Pete4000uk

    What was the point...

    ...of getting yourself s long stretch in prison?

    To prove some point?

    To look 'big'?

    To screw a large company over?

    Or just to screw people over?

    Either way, I hope she likes the company of other women (assuming it was her, of course)

    1. Anonymous Coward
      Anonymous Coward

      Re: What was the point...

      Martyr syndrome, few years in the clanger and then write a book to cash in.

  7. Anonymous Coward
    Anonymous Coward

    You keep it for how long?!

    The pilfered data was submitted to Capital One by credit card hopefuls between 2005 and early 2019.

    The real outrage here is not that the data was taken - it is that Capital One still keeps the data from 14-year old credit card applications, presumably including those where the application was refused or where the customer has cancelled the card long ago, and no longer has any business relationship with Capital One.

    This is is exactly why we need tools like GDPR, and we need them agressively enforced by state regulators.

    1. Dan 55 Silver badge

      Re: You keep it for how long?!

      But marketing need to know data from 15 years ago because handwavey marketing reasons that mere mortals wouldn't understand.

    2. Anonymous Coward
      Anonymous Coward

      Re: You keep it for how long?!

      Companies get around the GDPR 6 year data retention rule in the UK by asking specific security questions relating to older data on your credit file, so that the information is then updated aka. renewed by asking a security question related to it. In essence, it then becomes 'new updated data' on you, which can be kept again for another 6 years.

      Always refuse to answer any question that doesn't relate to the past 6 years, it's none of their business.

      Just state the question they are asking is related to information older than 6 years.

  8. gannett

    "applied for one of our credit card products from 2005 through early 2019 .. "

    Retaining application form data from 2005-2019 ?, some will be 10 Years ago ? Sounds like data hoarding to me.

  9. Potemkine! Silver badge

    Said friend tipped off Capital One

    With friends like that, who needs enemy?

    1. Nunyabiznes

      Sounds like that person was a better friend to society than to erratic - and I'm ok with that.

    2. Drew Scriver

      By contacting the friend the hacker made him/her complicit and forced the friend into a rather untenable position. Aside from the legal/ethical dilemma, the friend could have been rather certain that the FBI would come knocking sooner rather than later. Using her own name for the GitHub account was a sure sign that she wouldn't be free long and made it likely that she left other clues.

    3. Anonymous Coward
      Anonymous Coward

      Forward to Oct 2022 -

      Judge Lasnik, upon sentencing Paige Thompson to probation, said he's putting his reputation on the line that will not commit any further crimes. “If that does happen, I’ll admit my mistake. I believe in her, and believe she will prove this is the right sentence.”

      I would say Paige being so "forthright" with her friend, and Paige's friend doing the right thing immediately left Paige better off than just about any other outcome - like ripping off the bandaid.

  10. elvisimprsntr

    Clearly, there is more to this story than we are being told. If her motivations were notoriety, she could have practiced responsible disclosure. Unless her motivation was spite, becasue she was the one responsible for the misconfigured systems and/or was fired from AWS. Photos of her from some articles, she looks like she might be a tweaker and may have some prior experience in the custody of the state. Perhaps a product of a prison educational program.

    Meanwhile, the real criminals continue to get away with it. Namely the predatory CC companies and WS.

  11. Miss Config

    From the CLOUD ???

    Thompson broke into Capital One's cloud-hosted storage, believed to be Amazon Web Services' S3 buckets, and downloaded their contents.

    Maybe I'm last to learn, as per, that a huge corporation such as Capital One actually uses the cloud for its storage.

    1. JohnSheeran

      Re: From the CLOUD ???

      Haven't you heard? The CLOUD has won. A LOT of large corporations in this country (US) are moving their stuff to these big providers. Even better, they are letting their developers be in charge of infrastructure. I'm sure that nothing ever goes wrong with those plans.

      1. Anonymous Coward
        Anonymous Coward

        Re: From the CLOUD ???

        News flash - a lot of health providers are doing it too including some really big.. like country sized ones in the UK..

        1. Yet Another Anonymous coward Silver badge

          Re: From the CLOUD ???

          I'm shocked to discover American Banks were using computers. In my dealings with them I assumed all record keeping bwas by illuminated manuscript and delivered by snail express

      2. Drew Scriver

        Re: From the CLOUD ???

        Developers have long been at war with engineers, operations, support, security, and so forth. The unfortunate reality is that they have, in many cases, won the war.

        Developers are now responsible for all aspects, including concept, design, development, testing, networking, security, application delivery, and break/fix.

        While the landscape has become much more complex, developers have finally won the recognition that they can, in fact, walk on water and master all disciplines.

        Sure, there are some checks and balances, but in the end the developers reign supreme.

  12. iron Silver badge

    No bank account numbers or Social Security numbers were compromised, other than 1,220,000 of them.

    Some great maths they've got there, must remember next time they want me to pay my bill that 0 = 1,220,000!

  13. Anonymous Coward
    Anonymous Coward

    Ah...The Cloud...the solution to ALL business problems.....

    ......until it isn't!!!


    Oh...and it's cheap for the enterprise......


    ......and expensive for all those customers!!!!


    What am I missing here?

    1. inquisitive2014

      Re: Ah...The Cloud...the solution to ALL business problems.....

      Ah The Cloud .. What am I missing here?

      Sir, You are missing the fact that Cloud or No Cloud, securing data is important and poor data management practices have consequences. Accessing data through vulnerabilities in misconstrued Firewalls is a problem for on-premise systems as well as Cloud.

      My deep concern is that there is a lack of understanding of the "Shared Responsibility Model". The big Cloud providers are doing such a good job of resiliency and security for the infrastructure components they actually manage and control that there is a general sense of complacency and slackness from the Users/Admins who have to step up and manage the layers of the stack they control like Firewall rules.

  14. Anonymous Coward
    Anonymous Coward

    New title?

    “Evil hacker gets caught due to villain monologue.”

    I thought that only happened in James Bond movies...

    1. Yet Another Anonymous coward Silver badge

      Re: New title?

      Before I kill you let me tell you my evil plan... Or better still just do 'git clone'

  15. Anonymous Coward
    Anonymous Coward

    all of the above, and...

    Important points made by commenters here, especially how this incident proves the desperate need for a GDPR anti-data hoarding regime in North America. Not hopeful the sheeple will take time out from the clown show to react though. Even those inclined to rail against establishment don't seem to see privacy and data protection as a priority. On the technical side, I keep wondering how so many companies keep f*ing up AWS security. It's simply not that hard to get it wrong. Is it that some of the drones they engage to do the work are morons? Or is it that too many share their employer's penchant for corruption? In any event, the logical response would be a massive push for tech education and systems auditing, but it's not clear that will happen given the prevailing culture of reckless greed.

    1. JohnSheeran

      Re: all of the above, and...

      Security is very easy to get wrong if you don't understand security. It's still easy to get wrong even if you do understand security, you just realize your mistakes more quickly and usually fix them. The cloud doesn't change that but it least it makes your data just one step closer to those who would like to get it and exploit it.

      1. Anonymous Coward
        Anonymous Coward

        Re: all of the above, and...

        Agreed. The thing is, humans (and machines programmed by machines) are fallible. Problem is that most tech orgs have been running with such a shallow bench the last decade or more that there's almost never any review of what an individual (well-meaning) engineer has done/is doing/will do _by people who would know a mistake when they see it_.

    2. Anonymous Coward
      Anonymous Coward

      Re: all of the above, and...

      As I read the court document I was wondering where the breach was. It does look like the hacker used code and tools they had within AWS to gather the credentials for the S3 bucket. This opens another Pandoras box regarding security in the cloud and it isn't about whether organisations get their own security right, its about whether you can ever completely trust people in the cloud provider teams not to run tools that gather your credentials and then use those credentials to steal your data.

      I find myself repeating time after time that you cannot guarantee the security of your data if you are trusting a third party not to go peeking into your files. Moving to the cloud means you have to trust that the vendor has no secret back doors or master keys to your data. I simply don't believe that level of trust can ever be established once you data is off your premises and you hand over some degree of control to someone you didn't hire, didn't vet and can't fire.

      1. Citizens untied

        Re: all of the above, and...

        Hence the quick denial by AWS. It is core to their strategy to retain the trust.

        Ironically, Capitol One send mountains of junk mail, which people have to discard without opening, wasting resources and time (in very small increments, but that does not make it any less irresponsible).

        The knee jerk reaction from the less technical masses are prevailing directed at punishing "erratic" - their association to "their" data makes them feel personally victimized.

        This was Capital One's data, and supporting punishment of this woman is an indirect sanction of the rights of the corporate scum of the earth over individuals,their privacy and even the environment.

        We are severely under appreciating the damage usury and its incumbent distortion of value - and values, cause.

    3. Drew Scriver

      Re: all of the above, and...

      I doubt the USA will ever have something similar to the GDPR due to the federal political system. Too many ignorant politicians who have too many constituents and donors to please. Besides, the feds are much too interested in the collected data to jeopardize its existence.

      If states like California pass laws that are too strong the feds will step in and outlaw those. Same thing happened with the spam legislation back in the day.

    4. Ugotta B. Kiddingme

      Re: all of the above, and...

      "...this incident proves the desperate need for a GDPR anti-data hoarding regime in North America. Not hopeful the sheeple will take time out from the clown show to react though. Even those inclined to rail against establishment don't seem to see privacy and data protection as a priority. "

      I think you will find a fair number of us actually DO see privacy and data protection as a priority. The problem is that the politicians who have the means to fix this won't, because they remain in power thanks to the dirty money of the corporations which collect, hoard, and misuse this data.

  16. Tom Paine


    It is alleged Thompson bragged about her hack to pals on Slack,..

    Yet another idiot who didn't read TheGrugq's definitive "OPSEC for hackers" guide.

    "Shut the fuck up, Karl!"

  17. Paper

    Women + Queer equality

    This is the first time I'm hearing of a woman and trans person committing this type of crime. So at least one positive takeaway is we are achieving "criminal" equality :D :| :D :|

    1. Anonymous Coward
      Anonymous Coward

      Re: Women + Queer equality

      The hacking was bad and my eyes feel battered too.

  18. spold Silver badge

    Your penalties may vary

    ...particularly in Canada - Canadian organizations and individual directors and officers of such organizations may be found guilty of an offence and fined up to $100,000 (CAD) if they knowingly fail to report information security breaches to the Privacy Commissioner of Canada (Office of the Privacy Commissioner - OPC), they have therefore avoided this, however the OPC can also only recommend changes and has no power to issue fines - so Capital One will get away with it from that perspective.

    However it has been very stormy here in Toronto the last couple of days, my wife said last night "is that rain I can hear outside?", I said "no it's just a bunch of class-action lawyers salivating...".

  19. Anonymous Coward
    Anonymous Coward

    The human ego knows no bounds.

    Way to go. Brag about your exploits, so as to make it easier for the cops to identify you and come right to your door to arrest you? Brilliant!!

  20. Not Elvis

    What's in your Wallet?

    Errrr.... Nothing now....

  21. Maty

    time for change

    Let's face it - if your personal details have not yet been splashed over the web by one breach or another, they are going to be. Large organizations can no more keep data secure than an infant can keep a diaper dry. It is time to recognize this and move on.

    Security by obscurity no longer works. Just because someone has the right social security number, passport details etc, etc, does not mean that this person is who he says he is. The system has to change. Banks have to take responsibility for issuing debt to the wrong people and do better due diligence. If that makes applying for credit a more difficult task, this is probably a good thing.

    1. Jamie Jones Silver badge

      Re: time for change

      Yes! I've been saying that for decades!

  22. Magpop40



    (we wouldn't be that dumb and don't need the bragging ego boost to prop up our fragile senses of self and self-worth)

  23. Andy Humphreys

    Ineffective Encryption?

    I found the Encryption FAQ on their press release to be a little disingenuous;

    "We encrypt our data as a standard. Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data.

    However, it is also our practice to tokenize select data fields, most notably Social Security numbers and account numbers. Tokenization involves the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data. Tokenized data remained protected."

    To me, it would seem that other than selective tokenisation, they are just using some form of full disk or transparent encryption of data at rest.

    Great if someone can walk into a data center and walk out with the disk, but otherwise fallible to any legitimate command that can coerce the data off the disk.

    Perhaps if they had looked at encrypting/decrypting in application in conjunction with HSMs or similar, then the risk of such a clear-text exposure could have been more reduced?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like