Breach Notification , Cybercrime , Fraud Management & Cybercrime
Capital One Warns of More Data Leaked in 2019 Breach
Additional Social Security Numbers May Have Been ExposedCapital One is warning additional customers that their Social Security numbers may have been exposed in a massive 2019 breach.
See Also: Gartner Market Guide for DFIR Retainer Services
Meanwhile, a suspect in the breach is slated to go to trial in October, according to court documents.
In a recent breach notification and a letter sent to customers, Capital One notes that following an additional internal investigation into the 2019 breach that included the theft of 106 million credit card records and personal data belonging to customers in the U.S. and Canada, the bank found that additional Social Security numbers may have been exposed.
When federal prosecutors and the FBI first charged Paige A. Thompson, a former software engineer, in 2019 with hacking into Capital One and 30 other organizations, the bank noted that approximately 140,000 Social Security numbers of its credit card customers and about 80,000 linked bank account numbers were compromised in the breach (see: Paige Thompson Charged With Hacking 30 Organizations).
A notification and letter filed with California authorities last month did not specify how many additional Social Security numbers may have been exposed during the 2019 breach. A company spokesperson pointed to a company website dedicated to the 2019 breach, which notes that as of January: "We discovered approximately 4,700 U.S. credit card customers or applicants whose Social Security Numbers were among the data accessed, but not previously known."
Capital One says that while there is no evidence that customers' Social Security numbers were used for fraud, the bank is offering an additional two years of prepaid credit monitoring for anyone who received the updated notice.
A Full Accounting
Roger Grimes, data-driven defense evangelist at the security firm KnowBe4, says it's difficult for an organization to get a full accounting of what data may have been exposed immediately after a security incident is discovered.
"It is not all that unusual for victim organizations to update original findings to say that the breach was worse than first reported," Grimes says. "Most organizations naturally want to say as little as possible about any breach for a myriad of reasons, including potential reputation issues, financial impacts, legal implications and so on. But it really can be tough to have the 100% accurate information early on - even with the best of intentions."
Other details about the breach also are likely to emerge as class-action lawsuits against Capital One proceed. In one case, a federal judge in May 2020 ordered the bank to turn over the results of a digital forensics investigation into the 2019 incident to plaintiffs involved in a lawsuit. That document has not been made public (see: Capital One Must Turn Over Mandiant's Forensics Report).
Chris Pierson, CEO and founder of security firm BlackCloak, says that a number of factors could have led Capital One and its forensic team to discover that more data was exposed that originally believed.
"In most cases, the culprit is logs that indicate a new database that was previously thought of as not being impacted is determined to be in scope at a later point in time and so those persons are notified," Pierson says. "In some cases, a new data field that was previously thought to have been masked or encrypted was actually exposed, causing a new or amended notice to be given to affected customers. Neither of these situations is alarming in and of themselves."
In August 2020, the U.S. Office of the Comptroller of the Currency, which is part of the U.S. Department of the Treasury, fined Capital One $80 million in connection with the 2019 breach. A company spokesperson at the time said the bank had made strides in improving its security since the incident was first discovered (see: Capital One Fined $80 Million Over 2019 Breach).
Trial Later This Year?
In the meantime, the U.S. Justice Department case against Thompson continues to make its way through the federal court system.
In March, the federal judge overseeing the case extended the time Thompson's defense team will have to "review the voluminous discovery, to conduct a follow-up investigation and to retain and consult with experts." A trial date is now set for Oct. 18, although previous trial dates have been pushed back due to the complexity of the investigation as well as the COVID-19 pandemic.
Thompson has pleaded not guilty to federal charges of wire fraud and computer crime and abuse. She currently remains free on bail but is prohibited from accessing a computer, according to court documents.
Federal prosecutors believe that Thompson, who lives in the Seattle area, accessed Capital One's cloud-based repository of credit card applications after taking advantage of a misconfigured firewall, according to an earlier criminal complaint.
Thompson previously worked at Amazon Web Services, which is the cloud provider Capital One used for its internal IT infrastructure. During her time there, Thompson worked on projects involving the company's Simple Storage Service - also known as Amazon S3. Security experts have suggested that she may have discovered weaknesses in Capital One's implementation of the technology that allowed her to exfiltrate the data. And while prosecutors allege that Thomson took data from Capital One and possibly dozens of other companies, they say she apparently did not attempt to sell the information (see: Capital One's Breach May Be a Server Side Request Forgery).
Managing Editor Scott Ferguson contributed to this report.
This story was updated to include a response from Capital One.