Paige Thompson, former software engineer at Amazon, is suspected of hacking into Capital One’s server and stealing the personal data of 106 million people (approximately 30% of the US population and 16% of the Canadian population).
US prosecutors said, the data breach occurred between March 12 and July 17.
Ms. Thompson was arrested on Monday, July 29.
According to Bloomberg News, “prosecutors alleged that the access to the bank data came through a misconfigured firewall protecting one of its applications.”
According to Ars Technica, the hacker executed a command to gain administrator credentials, which provided access to bank data stored in Amazon Web Services. “Other commands allowed the attacker to enumerate Capital One folders stored on AWS and copy their contents. IP addresses and other evidence ultimately indicated that Thompson was the person who exploited the vulnerability and posted the data to Github, [FBI Agent,] Joel Martini said.”
Names, dates of birth, incomes, addresses, phone numbers, and email addresses of 100 million Americans and six million Canadians were stolen. This information originated from credit card applications made between 2005 and early 2019.
140,000 Social Security Numbers, 80,000 bank account numbers, and one million Social Insurance Numbers were also obtained.
Capital One said, “based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual.”
What You Can Do
Capital One “will notify affected individuals through a variety of ways [and] will make free credit monitoring and identity theft protection available to everyone affected.” They also encourage customers to turn on account alerts to help them track activity on their account.
Always be wary of phishing emails or phone calls asking for personal information, such as bank account numbers or passwords. Never click links contained in emails you don’t trust. Capital One and other financial institutions will never contact you asking for your personal information.
To speak with a Capital One agent:
- Canada: 1-833-727-1234
- US: 1-800-227-4825
Leaked SINs are a huge problem because they can be used by fraudsters to invade your privacy and steal your personal information, government benefits, tax refunds, and bank credits. Leaked SINs can also be used for identity theft and other types of fraud, which can increase your taxes and make it difficult for you to obtain credit.
Worst of all, a leaked SIN is irreversible.
While you can apply for a new SIN (with proof of identity theft), your old SIN can still be used to steal your identity. According to the Government of Canada's website, “a new Social Insurance Number is not a fresh start or protection from fraud or identity theft. If someone else uses your old Social Insurance Number and the business does not check the person’s identity, you may have to prove you were not involved in the fraud or pay the impostor’s debts.”
We Need Change
Knowing someone’s SIN and personal information should not be enough to steal their identity.
Identity verification needs to be stronger.
Financial institutions and government organizations need to verify the identity of their customers in person by scanning official identity documents or online by checking a digital identity that securely contains verified identity information (e.g., eID-Me). This is how identities should be verified for four reasons.
- Official identity documents and eID-Me can’t be forged, copied, or tampered with.
- They can’t be stored, leaked, or widely distributed.
- They are carried, controlled, and protected by their owner.
- In the event that they are lost, the owner can apply for a new one and deactivate their old one.
All of this gives people control of their identity, back where it belongs.