IOTW: Historic Capital One hack reaches 100 million customers affected by breach

In today's society, the headlines increasingly feature news of massive data breaches. Capital One is in the spotlight now. On July 29, 2019, the company admitted a hacker gained unauthorized access to information and decrypted previously encrypted data. The realization came 10 days before the company publicized the news.

A cyber security researcher found the problem and then informed Capital One about it on July 17. The company started an internal investigation immediately afterward.

This article answers few questions, including:

• How did the Capital One breach happen?
• What kind if information was compromised?
• What was the hacker's goal?
• How is Capital One responding?

How did the Capital One breach happen?

Capital One determined that a hacker broke into a server by exploiting a configuration vulnerability in a web application firewall on March 22 and 23, 2019. The person accessed personal information for more than 100 million Capital One customers in the U.S. and 6 million in Canada. The outcome makes this hack one of the biggest ever. Then, according to the criminal complaint, the person tried to share the stolen information with other people online.

After the company found the problem, it immediately fixed it and started working with law enforcement officials. The FBI arrested the alleged hacker, a person named Paige Thompson. The 33-year-old Seattle resident previously worked for Amazon Web Services (AWS), the cloud computing company Capital One uses.

See related: Cloud security market report: Exploring the right enterprise strategy

What kind of information was compromised?

Most of the information obtained by the hacker came from credit card applications submitted by customers from 2005 through early 2019. It included names, addresses, phone numbers, birthdays, emails and self-reported income information.

Moreover, the cybercriminal also got partial data about transactions occurring during 23 days in 2016, 2017 and 2018. Fortunately, the breached data did not include credit card numbers.

Capital One's statement on its website mentions that about 140,000 Social Security numbers for U.S.-based credit card customers were compromised. Similarly, the brand says about 1 million Canadians had their Social Insurance Numbers affected. Approximately 80,000 people with secured credit cards had linked bank account details compromised during the incident, too.

Become a Cyber Security Hub member and gain exclusive access to our upcoming digital events, industry reports and expert webinars

What was the hacker's goal?

Capital One is still carrying out its investigation, but it doesn't believe the person to blame disseminated the information or used it fraudulently. The hacker's aim is not yet clear, so people can only speculate. Many hackers sell the information they get on the darknet. Perhaps Thompson hoped to do so but could not before law enforcement officers detained her.

Other hackers also love the notoriety associated with successful attacks. They may view the chance to break into a well-known company's database as an enticing challenge. As the information stored online goes up, it becomes more likely that hackers will find valuable data.

Some emerging technologies require the ongoing transmission of personal details. For example, the telemedicine industry allows doctors to treat patients remotely with help from phones, apps and webcams. Telemedicine is ideal for people with busy work schedules or those that live in rural areas, but participating companies are at an increased risk for hacking.

The banking sector faces a similar challenge. Hackers know banks require user information and have to store it somewhere. If cybercriminals can find flaws in the system, the payoff could be lucrative — or at least widespread.

See related: Quantifying the enterprise cost of a cyber security data breach

How is Capital One responding?

The company says it has heavily invested in cyber security and will continue to in light of this incident. An official FAQ page mentions that all affected Capital One customers will receive free credit monitoring and identity protection. However, the information does not specify what people should do to enroll in it.

The details provided by the company also remind readers of the internal fraud detection technology in place at Capital One. It recommends that customers set up account alerts, and say it will contact people affected through a variety of channels. Capital One clarified that it does not contact customers via telephone to ask for personal details. It asked people to be vigilant for possible scam phone calls or phishing emails.

A gigantic cyber security failure

More details about the Capital One breach may become evident later. A hack of this magnitude is a strong reminder that the company has work to do regarding improving its cyber security.