Given that Capital One charges 29.9% interest on credit card balances, you'd think they could afford to have better data security.
242
Oh, puleaze. If you're paying 29.9% or even 19.9% on a credit card today you either haven't shopped around or have abysmal credit. One of my cards just upped my rate to 13% so I zeroed it out. I'll keep the card but they won't make a cent off me until they get real. My best card charges 7.9% though admittedly, I've been their customer for perhaps 30 years.
20
@James Thomas
Oh, puleaze. If you're paying interest on a credit card debt today you either haven't shopped around For a better job or you have an abysmal education. One of my cards pays me 2% on everything I buy. I zeroed it out paying interest years ago. I'll keep the card but they won't make a cent off me. My best card charges me nothing, because I pay it off every 30 days. /s
16
At this point "my" data has been stolen so many times (OPM, Equifax, and I'm sure more) it feels like I'm a Wildebeest or Zebra counting on hiding in the middle of massive herd as my only protection from the predators. It seems like a basic premise that if you have to have my information for us to do business, and you compromise it, then you should pay me directly and be disallowed from being in such a business ever again.
262
The elephant in the room here is that the law doesn't put the cost of these data breaches on the organizations that store them.
Instead, individual consumers are forced to bear the cost of identity theft based on the negligence of businesses.
With these incentives, it's no surprise that this continues to happen. Make the banks responsible for bearing all the costs and the problem will be greatly reduced.
275
Curious why the story does not mention that she is a transgender woman? Hacking and cybercrimes are predominantly perpetrated by males, so I was interested to read about a female hacker. It is interesting to note she is transgender.
6
Great! Someone used my stolen EquiFax information to apply for a Capital One credit card. So now that information is doubly stolen!
4
There is a solution. Knowing everything about the Queen of England doesn’t make you one. Therefore, unchangeable and supposedly secret facts must never be used as proof of identity. The following policy would literally eliminate identity fraud overnight.
UNIVERSALLY BAN THE USE OF IMMUTABLE INFORMATION FOR REMOTE AUTHENTICATION which includes social security, birthday, mother’s maiden name, password hints, and biometrics such as signatures, fingerprints, iris scan, or voice print. This information shouldn’t change, hardly changes, or nearly impossible to change.
The only irrefutable method for establishing and registering a person’s identity is to submit biometrics IN PERSON at a trusted site. During the registration, the parties establishing relationship can exchange public keys to allow for subsequent secure remote authentication using one-time passwords. This would be a reasonable process when getting a loan, license, or a passport. A vouching third party such as a bank, school, friend, or customer would suffice in less critical transactions. No new technological advances are required to set this up.
Once private information becomes unnecessary for authentication, there will be no good excuses to collect it. Privacy and Security would no longer be intertwined.
2
Two points:
1. Anyone who thinks there is a way to prevent these sorts of breaches simply doesn't understand how large-scale distributed networking works -- or does understand but either doesn't want to believe the truth or doesn't want you to know it.
2. "Cloud Services" = "Someone Else's Servers"
4
@Douglas
Hi Douglas .Thank you. Please tell me did Ms Thomas post the info on Capital One customers on line for bad people to use ? If so where was it posted?
Can I look it up to see if my name and info is on the public Web ?
Your help wold welcome. Thanks.
web?
1
I remember the Equifax hack, I didn’t think it affected me until I got a phone call from one of my credit cards. “Did you just buy 6 X-Boxes at a Target in Ft. Lauderdale?”
“No, I am five states away and never even played with an X-Box.” The agent continued, “Well they just ordered 6 Domino’s pizzas to an address near Ft. Lauderdale”. I am thinking this guy on the phone is an intellectual genius. Obviously, some truly novice hackers. The issue was quickly resolved.
But that was awhile ago. Today I see my Cap 1 card is probably hacked and five years ago all my medical records were hacked in Hospital Corporation of America’s hack.
Maybe, like mass gun shootings this is just part of life in America. That just maybe there is no more security cyber or otherwise is the US of A. I guess we just deal with it. Message me if you want my Social....
4
What's in your wallet?
Hackers...
8
Who, what, when and why! What did she do with the data she stole?
6
Sounds like a highly skilled, intelligent, curious - and terrible bored young - person, who needs a purpose. Her talents should be harnessed to protect America from foreign cybercrime.
1
@FloLady Sounds like she had a good job, and she needs to go to prison to pay for her actions.
2
Ouch! We know what's in her wallet, don't we!
2
It should be obvious that the consumer can by definition not be held responsible for any form of identity theft. The institutions who are so negligent as to allow identification over the internet or phone need to be held liable.
There is no problem with having identity certification bureaus in each major city.
How often do I need a loan or a credit card!? It would be sufficient to have notaries sitting in a bank certify your identity based on passport data and biometrics.
That would cut out all the overseas fraudsters.
That's the way Europe does it and, lo and behold, we never hear about these problems there.
Only the US politicians are too daft to recognize what works.
Now on to health care.....
3
The credit agencies should allow us to use 2-factor authentication. We would get a text at a number we provide to the credit agencies whenever anyone wants to make a hard credit check. If we don't authorize the check or provide the company making the request with the code, the credit company sends back an error.
It wouldn't stop everything, but it would prevent all types of accounts from being opened in people's names.
Anyone still remember share the number of personal financial data exposed by consumer credit rating services? The NYT seems to have forgotten after the settlement (tiny by the way) with which they got away.
It seems that fiduciary duty is really cheap on the US, in any European country just the fines would have driven them directly to bankruptcy and liquidation.
2
The Federal retention period for consumer credit applications is 13 months by the financial institution and 26 months for business credit applications. To retain this private, personal information for almost 15 years is nearly asking for a breech.
Surely some EU citizen got caught-up one of their torrid of solicitation for credit. That will add some fun to this.
4
I don’t assume that the only breach that occurs are the ones we hear of. This person was a troubled individual and there is no indication she was either stealthy or technically savvy but still she hacked the bank. I do assume most criminals try much harder to profit from their crime and to not be caught. If the data safeguards at major banks and other entities are so weak there will be no stopping a determined thief or organization.
If there is the money in the marketing budget to pay ... Jennifer Garner? Samuel L. Jackson? others? (I'm really not sure anymore who sells what) to hawk the product(s), there should be a zillion dollars FIRST to secure the customer data.
5
Which role did Amazon Web Services play in that breach? I know many small companies and startups that use the AWS cloud to store sensitive personal data of their clients. I still have not figured out where the mistake was made in the entire chain of the data transfer and storage.
4
I read the indictment and what she did was use the master keys to access the buckets. Apparently C1 didn't encrypt anything.
1
Consumers went from "What's in your wallet?" to "Who's in your wallet?" We need new formats and alternative nets for security. I recall working for a Fortune500 manufacturer that kept its' parts inventory on its own net. Time to rethink the Internet.
6
I’m seeing stories about how the cyber security industry is booming. Thousands upon thousands of job openings. Now, how many of the people of those people being trained in this field are going to turn to the dark side, like this woman. How many are going to become criminals? Am I the only person thinking this problem can only get worse and worse?
8
@David Parker The problem is likely to exist as long as people exist. They have been like that since the Garden of Eden. Or Ape Forest, depending on one's politics. HM
Open Letter to Richard D. Fairbank, CEO of Capital One:
Richard,
Your generic message to the public was insufficient given the gravity of your security breach.
What you owe the public and moreover, your clients (of which I am one), is a full scale report on:
A. How it happened (What technology was compromised)
B. Who was responsible for dropping the ball, including management names, and external consultants involved.
C. What Capital One has done to immediately rectify the situation, not just in this breach, but by globally tightening your Technology Security starting with a comprehensive security audit done by an external company that can provide details of weaknesses and remediation measures.
Too many times the person(s) and groups responsible for these security lapses in which client's data is compromised are not held personally responsible and the client-base is given no specific information as to how your are further protecting your cardholder data environment by eliminating these failed 'gatekeepers' and how you will replace that failure with specific individuals and measures.
As a Cap One client and 25 year Technology professional must say an apology is unacceptable, a comprehensive report and remediation plan must be forthcoming.
Jon Abbondanza
Microsoft Certified Solutions Expert
16
@Jon Does anyone have any idea what a hacker does with several million account numbers, SS numbers, etc.? Of the millions of identities that have been compromised, how much actual damage was done? If stolen card numbers were really a problem for the card companies, every transaction would require a PIN. This "breach" stuff seems a lot like Y2K.
Lots of noise about nothing!
1
@Mike Tierney
The simple fact that we mostly DON'T know what happens to personal financial information when stolen by hackers should be enough to sound your alarm. But I guess you've chosen the "ignorance is bliss" route, so I guess not...
5
@Mike Tierney. A lot of noise about nothing, seriously? A hacker gets your social security number and sells it on the web. Do you know what a tangled mess it is to prove it isn’t you that owes how many tens of thousands they can siphon off your hard earned credit score running up debt. It’s a mess, you may not even know for years.
1
I am sure the requisite poorly funded and demonized regulatory agencies will investigate. Maybe even the FBI. There will be lawsuits, a no admission of wrongdoing settlement and a monetary settlement ”potentially” in the millions but in reality much less because the victims will have to prove actual harm and document in detail the hours spent preserving their privacy. They may even get free credit monitoring provided most likely by Equifax that proven protector of our information. Then, back to business as usual.
7
This person put over 100,000,000 people's lives at risk and the cost incurred because of her bravado will be in the tens of millions of dollars or more and all they charge her with is one count of computer fraud and abuse?!!!! No wonder so many con, steal, and commit fraud or extortion; no real punishment.
11
@Ma Explain how someone's life is at risk as a result of this.
1
@Ma They turn White Hat and make tons of money. No such thing as bad publicity.
I don't understand the math here: there are only about 210 millions adults (18+) in the U.S. so supposedly half of them applied for Capital One credit cards??
4
Includes data from Canadians, too. And going back to 2005 - article states 10s of millions of applications alone were stolen.
4
@JS I have never applied for Capital One credit card, but I regularly receive offers from them. I have no idea where they got my name and address. I guess I am among these 100 million
1
@Kristen C. You’re correct. If you call the Capital 1 card line right now they are saying there are extended hold times because of calls from Canada.
From another NYTimes article: “Ms. Thompson, a 33-year-old software developer, made a habit of oversharing online. Those posts led the authorities to her door.”
If only all braggadocios criminals would suffer likewise. I guess that there’s a presidential exception or, maybe, it’s a republican exception...dunno....
4
Capital One: What was in your wallet?
6
What’s in your wallet takes on new meaning.
5
She should be charged with 220,000 counts of fraud because that's how many accounts were compromised, not one.
13
@Mgwh686
And penalties paid to each one of them. If companies had to pay penalties to all those whose accounts are breached, things might be very different.
4
If the information in this article is correct, then it's almost as if Ms. Thompson wanted to get caught for this crime. We've all heard about 'death by cop', and the empowerment sought by those who openly commit anti-social acts (by delaying the subway, etc.). According to the article: "The suspect, Paige Thompson, 33, left a trail online for investigators to follow as she boasted about the hacking..." And according to the bank: “we believe it is unlikely that the information was used for fraud or disseminated by this individual.”
2
Why is it that financial institutions are not required by law to completely ensure the security of their client's data? There appears to be little, or no meaningful policy in place to protect consumers accounts, identity & credit information. Our federal regulators are once again asleep at the wheel.
Any company that stores and uses my account information should required by law to completely protect it - plain and simple.
Furthermore, when my account is closed, that data should be required by law to be purged from the company's systems.
7
My son is planning to get a graduate degree in "Cybersecurity". It was fascinating to read about the courses. There are offensive and defensive areas of study. In one, you learn how to break into systems. In the other you learn how to defend against break-ins.
At one point Homeland Security was subsidizing the cost for his degree. Unfortunately, he missed that window.
1
Usury is a sin, and in some places it is illegal.
Exhibit One is Capital One's CEO, who has personally made a billion dollars charging 25% interest - a usurious rate if there ever was one.
If an financial institution cannot protect the data its customers are required to give it, it needs to face criminal charges - starting with its richly rewarded Usurer-in-Chief Richard Fairbank.
Our society enables usurers to amass obscene financial wealth by charging rates our ancestors found criminal.
12
@Space Needle
I have been a Capital One cardholder and have never paid 25% interest. The cardholder is told what his interest will be when he applies for a card. He or she has the opportunity to accept that rate or decline and apply for a card at another bank.
3
This wasn’t a hack, it was someone walking through a wide open door that capital one was too cheap to buy a lock for, much less close it.
25
It is very unclear to me why:
1. The companies receiving data for specific purposes who then use it for other unauthorized purposes or who, through theit carelessness/stupidity/neglect/employees land up wit individuals' personal information being hacked or misused aren't subject to class action suits...
and
2. Why the criminals doing the hacking, like the very boastful and self-incriminating crook in this case, don't get charged with an separate criminal charge of theft for each and every individual they have stolen from, along with personal civil liabilities by each and every individual for theft.
Why are the data/personal/identity theft crooks and mis-users being shielded from common practices in any other kind of individual and group theft and misuse/neglect?
4
Not in my wallet, not anymore.
4
Well, I guess we know what’s in a Capital One account holder’s wallet: someone else’s eyeballs.
3
Not interested in paying for her college debt write off.
2
This case illustrates once again how mind-numbingly stupid most criminals are. The accused hacker, clearly an intelligent person, left a virtual trail of breadcrumbs for the FB I. If she wanted to get caught, well, that makes her even dumber.
1
@Mark Siegel - Bragging rights just like a serial killer. Plus she wants to work for the Phoenix Foundation.
Glad I don’t use Capital One
4
Capital One has no problem emailing me on a myriad of things but nothing concerning this hack. Time for a different card.
4
Who's in your wallet?
2
Well I guess now everybody knows, 'What's in YOUR wallet.'
2
Well, good for her: she strapped herself "with a bomb vest” and can be counted among historic firsts as a female terrorist. I hope she gets at least 30 years in federal prison to brag about and exercise her gargantuan entitlement. Then, forbid her any technology except a play Tablet for toddlers for the rest of her pathetic little life.
3
@Gustav Aschenbach but will "she" be housed in a men's prison or a women's prison?
1
I guess they now know what's in your wallet
1
Incompetent techies are all over CapOne
1
Just to be clear - amazon employee with access to encryption keys “securely stored by Amazon” for Capital One S3 storage just copied the data to their github..... don’t let anyone else manage your keys.
2
What WAS in your wallet?
1
What’s the motivation or payoff for a 33 yr old single female?
2
The stupidity of people using social media never ceases to amaze me. How many times have we read about an employee who posted something and got fired for it? Do people just not think? And now once again we hear about a person boasting about illegal activity on social media and getting literally busted for it. You would think a hacker would be wiser. Evidently not.
1
Wait...what?? How can she be so stupid??!!
1
NYT: Why did you write a sensational article about a hacker and Amazon when the focus should be on Capital One? I learned about the breach from Reddit, of all places. Didn't even get an email notification from Capital One. Check your bias. Check your glorification of hackers. Check your desire to smear mud on a competing newspaper's owner. It doesn't make journalism look good.
4
Identity theft!
That' my fear!
I can change my credit card number easily. But when it comes to social security, state I'd and address is extremely difficult and costly.
Companies should not be allowed to store thes types of information if they aren't unable to repair the potential damage. Credit monitoring is not enough!
1
As far as actual theft of money is concerned, the major risk consumers face with financial companies like banks is probably not this sort of hacking. The major threat is the ACH – the automated clearing house. This is the system banks use millions of times a day to transfer money from an account at one bank to an account at another.
From what I, as a consumer, can tell, there is virtually no authentication, and no visible safeguards. All someone needs to withdraw large amounts of money from a stranger’s account at a bank is the account number and the account holder’s name. Anyone ever paid by check has this information; the name and account number are clearly printed on the check.
For example, when someone is asked to make a college tuition payment, the college simply requests the account holder’s name, their bank’s name, and the account number. The next day, the tuition payment is automatically transferred. Tuition payments can be tens of thousands of dollars. The account holder’s bank will transfer the money without asking for any verification from the account holder that the transfer is authorized and genuine.
Banks generally do allow people to put blocks on their accounts to prevent such transfers.
So, be afraid. Be very afraid.
Banks: this system badly needs to be fixed.
4
@Alex Never have your name/address printed on your checks. That tidbit has been out there for ages.
@HarlemHobbit
You are likely correct, but the problem is not the name and address, it is the account number pre-printed at the bottom of every check, along with the bank routing number. The person I give the check to knows my name, of course, whether or not it is printed on the check.
1
Just a thought and feedback welcome - kind of Biblical sentence for the alleged Tech/Brainiac suspect: since this person willfully and intentionally gave up millions and millions of people's private info, FOREVER, how about the Tech/Brainiac be tethered to a web cam device for their entire life?
Anyone, anytime, can see what that person is doing. NO PRIVACY ever again?
Would be an easy tech job to pull off.. and use body lock tech too? Who'd want to voyeur is not the point.
1
What was the configuration vulnerability that provided avenue for the hacker and who is responsible for creating this avenue ?
@Vijay, We're going to tell you?
2
No matter how smart the people installing a security system are, there is always someone smarter to find and exploit any weakness.
1
Life in prison for large scale hacking. Society needs to get serious about this crime.
5
@Newfie
That is OK for those hackers in the USA but for everyone else? Hacking is an international problem.
3
As a side note, the fact that Paige Thompson is a transgender man will not help the LGBQT community. I already see comments that I suspect will be picked up as talking points on conservative media and among Trump supporters.
3
@Misplaced Modifier Good point. Why dont we make sure the sex, ethnicity, religion, age, education, medical history etc, of ALL suspects is disclosed so we can decide how much if the behavior to attribute to each. I BET majority will be colorless people, some version of Christian, heterosexual.
[SARCASM]
5
Capital One will chase you down if you missed one payment but lax on security.
7
@Roger
There should be a fine paid to each person whose data has been stolen. Just like the bank's charge you for breathing.
3
At some point someone will tally up the hacking crimes of the age, and this hack may make the list. If this hacking crime list is disaggregated, let it be known here and now that this was not a female who committed this crime.
well, a former software engineer on the software that the engineer is purported to "hack" is kind of like asking the magician, "wow, how did you pull a rabbit out of that hat?" -- the answer, of course, is that it's her hat.
and many a software engineer has left an easter egg subroutine or postemployment transom in the guts of the ghost of the machine of their former employer, because software engineers are badgerlike in that they know one trick, and that one trick is that they know what you don't.
so here we have exhibit A, a millennial wannabe hacker whose main exploits seem to be breaking into systems she has previously authored (in part, but sufficiently the right part), and then bragging about it.
oh my, what an ambitious little girl we are. i hope it turns out well for you in federal court, paige. because federal court is usually where hackers go in "ha ha" and come out "boo hoo".
wake up this morning, and do yourself a favor: put all your credit scores at all the credit agencies on privacy lockdown. a simple letter will do it. in that case your social security number, your personal information, your accounts, all become futile avenues of fraud.
instead, some nigerian will text, email, messenger you with cooing tidbits of friendship and love, and your only hazard will be that you fall in love with a text message attached to a photo of a tatoo'd soldier in afghanistan -- my sincere condolences to you if you do.
1
Seriously, start putting away hackers for 20-to-life, no sugarcoating. If a small-time drug dealer can get that, a hacker doing hundreds of millions in damage should get worse. Devastate them. I promise the vast majority of society will support brutal punishments for hackers.
4
There are two issues here. The first is mental health, the second is lack of regulation to protect consumers and society from unethical actors.
Government regulations that reduce the harm of unethical actors is a good thing. Regulations that protect the consumer from unethical actors is a good thing.
2
@baetoven
By 'unethical actors', do you mean the corporations who can't be bothered to implement secure policies or encrypt their data?
1
@baetoven Exactly. In financial circles and retail, data security is woefully inadequate. Laws need to be made more stringent on the business-side so businesses take data security seriously. Many credit unions and retailers are using antiquated perimeter defenses. Attack surfaces are constantly changing, and each and every business trusted with our financial data needs to understand and prepare for this. The mental health issue seems specific to this case, even the perpetrator admits her attack was of low sophistication, which says what about infosec at one of the nation's largest consumer banks? Don't forget, in places like the Ukraine, China and others, there are sophisticated hackers who are working night and day to find holes in our financial system, power grid, government systems, etc. Some of this is state sponsored. Hopefully this is a wake-up call.
I just spent an hour freezing my credit. I applied for my piddly-rump $125 on the Equifax breach last week. I use 2-factor authentication everywhere I can. Companies need bigger fines and motivation to prevent breaches. So far, it's the cost of doing business to them. AWS (Amazon Web Service) is as much to blame in this case, as they left the keys to the kingdom in allowing this toxic narcissist access to place a firewall hole for her to worm into later. Companies like AWS need to require security clearances similar to the Department of Defense and disallow people who are similarly dangerous.
13
@raftriver I may be correcting myself. This was a firewall breech, yes, but it may have been Cap One's, not AWS. I do stand by my thought that Thompson is a toxic narcissist, evidenced by her very public trail of electronic breadcrumbs.
1
'What's in your wallet?" .... "well, nothing, now" :-(
Remember that whenever a fraudster uses your identity to steal from a credit card issuer, even though you are not directly responsible for the charges, we all end up paying for it, in the form of higher interest and fees on the credit cards, because the banks are certainly not taking the "loss" out of their profits
16
If a software engineer can hack through Capital One security programs then our election booths and election data gathering centers are toast. A great Russian slogan: with a helper a thousand things are possible
19
It seems to be an almost daily occurence.
2
"What's in YOUR wallet?"
For millions of Capital One customers, some shady characters already know.
4
Why is the hacker not being charged with 100 million counts, one for each victim?
10
@felixfelix
Because it was Capital One's data. Capital One stole your identity, the hacker just stole some data.
I almost guarantee she wanted to get caught.
4
Any bank and credit card company can be hacked. Your data is not secure. You just hope and pray that someone doesn't trash your good credit or use your social security number to try to collect your SSI benefits. Between the privacy concerns about social media platform (Facebook) and possible hacking of personal and financial data, it seems that your safest bet is to go off the grid.
I hate to sound like a fatalist, but we all know that one day there is going to be a financial hack that's going to literally wipe out the financial systems worldwide, and it's not a question of how, its when.
3
This is just the tip. If people knew what was going on in the tech and financial world they would never sleep at night. When it comes to American companies, as far as I am concerned some of the things they do or allowed is worse than theft, it's treason.
5
Put the creep who stole the data in prison, and make Capital One and its contractors legally responsible for the breach.
4
"What's in your pocket?" Not a Capital One card anymore.
1
Re-imagining banking..."What's in your server?"
1
Please don’t dignify this person with the title ‘software engineer’. She’s not.
1
@Richard Ray
Or the pronoun "she." Paige Thompson is male.
2
How much do you have left in your wallet?
1
Paige,sweetie, could you hack the IRS? There are some tax returns we would like to see?
18
While this is really terrible, any one else excited this was a woman hacking? About time!
3
@Michael Hill The hacker wasn't a woman.
1
@Michael Hill
Lots of trans women in tech. Just like Paige Thompson.
What's in his wallet?
2
What’s (not) in YOUR wallet?
1
If someone can get 150 million SS numbers, surely _someone_ can get one President's tax returns.
15
Some of the best hackers in the past now have IT security positions with financial institutions,corporations and even government security firms. Perhaps this hacker was “interviewing” for another IT position. What is more scary is the amount of firearms and ammunition that was found in her home.
2
She didn't shoot up a school, but it's still villainy for fame. More people are caring less about the legal consequences of their crimes, as long as they get their social media ratings.
8
Almost every major credit card issuer, and banking institution, including those that are thought of as brokerage firms, have an "alerts" function that you can sign up for online. You can input a quite low alert amount, even as low as $10, to get a text or email alert if, let's say, $10 was charged to your credit card, or withdrawn from your account. There are other "alerts." Such as, your balance is below $_____. The alerts function is free.
From my experience, that function works. For AMEX, Citibank, Capital One, Discover Card, Chase Bank and even Fidelity. With Chase, if I use the debit card at Publix supermarket, I get a text abut my "charge" immediately. Before I even gather my bags and leave the store.
So, none of us can prevent hacking. But, if we have computer access, we can register our accounts and take the time to set our alerts. At least then we will know if someone has taken over our account. Which, I know, won't help with identity theft, but will be better than doing nothing.
11
When you have men ,and women sending thousands of dollars to fictitious facebook clones with manufactured identities,whats the difference.A reported 500 thousand fraudulent accounts on FB are deleted each year and that's only a fraction of the ones in existence.with FB looking at going into banking ,what could go wrong.
2
And, if you have a Capital One card, and go on the website, all they say is that they will let you know in the future if you are at risk, but that it doesn't appear that you are at risk (at least for me).
Advice: Unless it's the only way you can get a credit card, never get a credit card from the same banking institution where you have your checking and savings accounts; even if they offer it, decline. Their right of set-off alone is disadvantageous to you, and their having your bank account numbers attached to your credit card is disadvantageous to you.
6
I'm not exactly sure what there is out there for most people 0n-line to steal. Almost anything about a person is at the key board of any mid-level web/data computer programmer.
I was not the least surprised when after discussing delaying possible trip to France this summer owing to the heatwave and visiting our kids in CA (while we were in the kitchen listening to music on Alexa), the next time I logged onto the web I was bombarded with ads on last minute discounted flights to the two destinations in our conversation.
9
@Glenn
That is why I don't use Alexa or Siri or any of this other garbage. I don't need to be surveilled in my own home in exchange for a little convenience. My hatred and loathing of computers deepens by the day. One of the things I am most looking forward to about retirement is that I will be able to finally be able to exorcise this sickness from my home and life.
2
And I get crazy looks from my husband when he mentions getting an Alexa and I'm like I don't need a cloud based listening device in my home. Until those online listening devices are regulated hard with way better transparency and opting out of having your privacy violated vs using the product period then no thanks. Our phones are probably doing enough spying as is.
I miss the time in the not so recent past where I could store everything locally and offline. Now more places are auto copying your things to one drive or Google while hiding the ability to opt out in the fine print. (on top of one drive sending threatening emails to pay more for their service or they will delete the files they copied without my permission on their servers.) YES delete them.
2
I knew my information was already public because of Equifax. At least now I will get an additional $125 bucks next year.
4
Bleak assessment.
Maybe we should all just stop paying. Any credit or loan payments. Just stop sending the money.
@L
Maybe not. See this NYT article from the Privacy Project: "Equifax Claims May Not Get You $125" https://www.nytimes.com/2019/07/29/opinion/equifax-settlement.html?searchResultPosition=1
@L Getting that $125 is more work than it should be. The consumers are being put through hoops with an extensive filing process and documentation requirement. On the other hand, no one from Equifax was even disciplined for this huge data breach. Equifax was barely slapped on the wrist and operates today as though nothing happened.
1
Unless and until we truly hold companies responsible for keeping our data secure, and penalizing them, as per Equifax, when they don't, most companies won't work hard enough and smart enough to ensure that their systems are as hack-proof as they can be. Offering free credit monitoring is a lame response to this serious issue, and yet we let that suffice as a corporate response. The issue is not that people's data were used fraudulently, it is that those corporate entities we trusted to keep that data secure failed miserably. How and why did this ever become an acceptable cost of doing business digitally? Ask your Congressional reps - I've been doing that for over a decade, and have never gotten a reasonable response. Maybe it is because the corporate digital community has lobbyists with very deep pockets...
11
To hold meetings on how to better break into a computer or computer network is audacious, and wrong.
Why aren't there severe repercussions for hackers?
4
@Nancy Why aren't there severe repercussions for companies to care about securing our personal data? These same companies are making obscene profits from selling that same personal data to advertisers and others, foreign and domestic. The fines they face are just a slap on the wrist, so they learn no lessons, and the news cycle moves on to the next outrage.
I, for one, applaud these efforts to expose the ineffectual data-security job these companies are doing. Having said that, I expect Ms. Thompson should face jail time. At the same time, I'd like to see many of these companies face fines so large they go bankrupt: Facebook, Equifax, Google. Being amoral should not result in profit.
Last week I receive two separate notices from two different companies of a security breach may have exposed my personal information. While both offered to cover the cost of a credit monitoring service, I already have one in place from another company's inability to "protect" my information. I don't think this is about Corporate America not knowing what to do - they know full well what it would take to properly secure our information. This is simply about money and not wanting this expense on their P&L. Yep, Republicans, business knows better.
8
Hacking doesn't seem too hard, and passwords do not seem to be the best way to protect people's information. Perhaps all personal and financial information should not go through the internet. I also think the government, not private contractors, should protect our information in part from private entities. The police and the army protect our property and lives. Our information is now our functional identity. I would trust the government more than a private bank. They can be fired; banks just merge or hide out in the Caymans for while.
7
As a woman programmer, is it wrong of me to be a little proud of her skills?
But she was very sloppy about hiding her tracks. Almost makes you wonder whether she wanted to get caught.
9
CPod,
You’re way smarter than me. It’s an effort for me to update my Roku box.
But you get that this person committed a crime, right? It’s just like if somebody in my building jimmied the lock and took stuff out of my desk.
Let’s not romanticize this. Stealing is stealing.
2
@CPod, to respond to your question, yes it is.
3
@CPod
Great, let's celebrate women becoming more like men. Is that why bras were burned? I thought we were supposed to bring a better perspective to the male dominated messed up world.
3
This woman just wanted to demonstrate that the companies that hold your information are too cheap, lazy and unwilling to spend the money to secure it.
Their “payouts” to exposed people are just the cost of doing business and is much less expensive than securing their computer systems.
Any company that holds this type f information should employ hackers, full time to continually test the security of their systems, but that would cost money.
14
@Paulie
Completely agree and unfortunately it seems that this is how big corporations will continue to do business. The system of thinking and lack of perspective is endemic of a deep dis-balance that bodes for "sinking ships" and other "fires" upcoming. We have lots of lemons in life... lemonade anyone? And why we are at it, lets throw out some of those rotten lemons- they have a bad taste and can carry mold.
@Paulie- This woman is not some sort of "crusader" There were better ways to alert the public, instead she choose to put millions of people at risk of identity theft.
@Zippybee57 who was put at risk, no info went past her. In any case it shouldn’t be so easy to break in that one person acting alone could accomplish it. This wasn’t a hack, it was someone walking through a wide open door.
Capital One should’ve used
“BOSCO” for their “code”.
4
Be it a hacker, President or otherwise, in this high tech/highly armed country a person with untreated mental health issues can wield an enormous amount of lasting damage.
4
As Warren has said, "why doe the people have to clean up a corporations mess?" I am so upset over this Equifax fall out and now this.....when do corporations have to take responsibility>
8
Given Capital Ones history why would anyone use them?
5
"what's in your wallet?"
"Hey! My wallet!"
7
Glad it's not in my wallet!
4
Amazon has everyone's social security number, from A to Z...
4
This hacker might be more dangerous than reported in this article.
The Seattle Times reports: "While federal agents were sweeping the three-bedroom house where Thompson lives they discovered 20 firearms — both assault-style rifles and handguns — as well as firearm accessories, including bumpstocks, scopes, grips and ammunition, in another bedroom"
https://www.seattletimes.com/business/seattle-woman-arrested-in-breach-of-capital-one-systems-millions-of-credit-applications/
12
@Space Needle
That's serious. Cannot believe the NYT did not mention this. Thanks for the intel.
1
I’ve been bombarded with solicitations from Capitol One. Have thrown out dozens of letters delivered to my address (where did they get it?) And insisting that I take out a Cap1 credit card or account, by surrendering my data. Have not had this from any other bank. Luckily I’m not susceptible but who knows how many others are – and will end up targets of hackers and numerous criminals. Cap1 just needs to stop. Now.
3
Lock her up and throw away the key for a few years.
Next.
3
I look forward to any person at Capital One facing real, substantial consequences for this happening.
Haha, just kidding. We all know that's never going to happen.
14
In it's message to customers, Capital One writes:
"No bank account numbers or Social Security numbers were compromised, other than:
*About 140,000 Social Security numbers of our credit card customers
*About 80,000 linked bank account numbers of our secured credit card customers"
They are fooling no one by characterizing the "cyber incident" (their term) as virtually "no bank account numbers or ssn's" being stolen.
10
A lot of these recent breaches have had a lot to do with "backdoor" legal access of third party staffers like this woman, rather than corporate internal security - very hard for a financial institution to know the risks, much less take precautions, for data on somebody else's servers with no say in who's got the codes. Have to say theft of Canadian SI numbers (which are both tax account and government service ID numbers) may be more difficult address than the purely financial stuff from a private bank.
2
I'm old enough to remember when every community had one or two mentally ill people who roamed the neighborhood and watched trains go by from the overpass. They were essentially protected by the neighbors. We little kids were told to keep our distance, but we were likewise told not to tease or ridicule them. My grandmother would call them 'poor souls.'
I remember the ladies auxiliary of the fire company buying a wagon for one 'poor soul' and giving him the 'job' of collecting newspapers. I think he received a stipend when he turned the papers in. He lived with his family and it was rumored he ate his dinner sitting in front of the television rather than at the kitchen table, but I cannot confirm this. Someone saw to it that he was clean and fed and housed. I don't know if Henry felt loved. I don't know if he would have known if he didn't.
My point is, even in his mental-illness induced isolation, he had actual real-world contact with other humans and was part of a real-world community.
This poor soul, Ms. Thompson, was obviously higher functioning than Henry, but what is going on with these people when they seem to lack so little real world community? In my mind, the virtual world they create for themselves seems to increase their isolation rather than enlarge their community.
There's nothing like the real thing.
11
@itsmildeyes
A popular expression amoung the screen addicted is "I went outside...the graphics weren't that good."
2
20 years after European have introduced the “Smart” credit cards, with the PIN technology, the US is still not using them as they should.
I have a European bank issue credit card, which requires a PIN to validate the transaction. When I use it in Houston, I can opt out of entering my PIN, which defeats its purpose. Anyone can use your credit card with a signature that means nothing.
What’s the point of having a chip card then?
6
@p6x
The point of having a chip is so the credit card companies can force their customers (the merchants) to either buy all new equipment, or to dump the liability of credit card fraud onto those merchants that have not bought new equipment (and software). The people using the cards are not the customers, and are of little to no concern to the credit card companies.
6
@p6x Smart cards have nothing to do with this woman stealing data online. But yes, those cards are better. I only use smart credit cards. I also carry a bag of gold in my bustier and bullion in my petticoats.
What does it matter? All my info has bee out in the ether of the Internet for years, while the code writing geniuses who brought us all this convenience are doing jobs other that data privacy. Of course, while Congress has been scratching where it itches and picking their noses, there is no such thing as privacy when there should be. Of course, note that the electorate has so little restraint, hooking up doorbells, etc. for the whole World to hack. If you see Alfred E Newman or Rocky and Bullwinkle at your door, you have been had. Even Moscow Mitch wants our elections to be public in real time. Let me see, too many votes here so let's put them here? Facebook get fined $5bn in pocket change. Why not a hundred billion for the national debt, so that corporations are weeping, pounding those gigantic mahogany desks, and no dividends. Bet that would get corporate attention and maybe, maybe even Congress?
7
I do not have a credit card with Capital One, but the irony is that I ran into all kinds of issues setting up a simple account with them because they were trying to be ultra-secure; I can only hope that I will be able to retrieve the money I have with them the day I want it back.
So a legitimate user like myself was unable to access my own account, whereas a total stranger could retrieve millions of records!
2
Did anyone have any money stolen? The bank will lose money, sure. But Paige seems like a white hat hacker here, helping society realize that these systems are not secure and we need to take this issue more seriously. She could have stayed quiet and ran off with a lot of money instead of coming forth.
3
@Jim
Is that similar to a "Robin Hood" who breaks into banks, steals money, doesn't spend it and then brags she just wanted to show how it could be done? For the banks' own good, of course.
4
@Jim along the same line of thought, if she got into your house via a window with a broken lock, then looked around at your personal data, items, etc. you would not prosecute her. You would thank her for letting you know about the broken lock and you would not press any charges. I would at least want her prosecuted for breaking and entering, pay a fine, perhaps do some community service, get counseling, etc. It remains to be seen if any of the data she accessed has been released to other parties - so far no evidence of that and hopefully not.
2
Here’s a case where a financial institutions undoubtably decided credit card applications were not part of their core business, outsourced those operations and key factors of its security. No surprise, outsourcing (cloud magic) came back to bite them. Can’t you just see the power point slides? “Nothing in my hat, nothing up my sleeves, no capital expenditures, reduced head count, focus our IT on core and no pesky IT security oversight. Presto! Guess I better get another hat.” Apologies to ‘Rocky and Bullwinkle’.
4
@DWS FWIW, this wasn’t a cloud thing, it was a misconfigured firewall and a few other failures that had nothing to do with where the data was kept.
3
It was AWS
The companies with the most "in your face" ads are the ones who seem to get hacked most spectacularly - like Capital One (with which I would never do business).
Let's also note Equifax (which is somehow allowed to "own" my information for its own financial gain, without ever asking or getting my permission), and good ol' Wells Fargo (the keystone kops of banking).
I'd say where I bank (an institution that has never been compromised to date) - but I don't want to jinx myself.
9
Americans have shown repeatedly, that they don't care about privacy. They use their credit cards with abandon (instead of cash). They give all of their information to Google and Apple via their "smart" phones. They give Amazon and Facebook all of their personal information. They put permanent corporate listening devices in their homes. Americans. Don't. Care.
Americans want 1. cheap and 2. easy. That's it.
7
@Frank
I am an American and I value my privacy. Sadly, many corporations that already make money have to top their profits off by selling customers privacy. Whenever I get a privacy policy from one of these companies, the bottom line is 'I have no privacy'. The company is allowed to sell my information.
The US Government needs to ensure that customer's privacy is owned by the customer and not by the companies I do business with.
3
So now another card will be issued and I have to update all my accounts I use the card to pay. Netflix, hulu Amazon and so on. It's not worth the aggravation anymore.
8
Why spend money securing the information when you can more cheaply pay a fine? This woman has simply demonstrated how easily anyone with the requisite knowledge can gain access to our personal information.
5
Every time I go to my bank or other institutions like the HT or Whole Foods (AMAZON AWS) they ask me wouldn't I rather do the transactions on line, "it's perfectly safe". I respond, "no it is not. I'm a technical head hunter (35+ years)in this and related arenas, and I know for a fact that it is not." They smile at me as if I'm a child.
Which leads me to:
1, Please for 2020 Paper ballots; and 2, do look at your CC receipts and cross reference them every month, on paper.
12
@Rick Tornello
Rick, shouldn't your #2 be "use cash"?
@Rick Tornello
Senior DBA here. Wish I could like your post a hundred times.
@Frank
Please, only drug dealers use cash. Credit cards are extremely convenient. Everyone seems to be having a melt down over this, but its not a big deal. I have used a credit card for more than 30 years, and all it takes is a little common sense to avoid problems.
No one will know what the ramifications of this breach may cause in the future, but I have an inkling. As a Florida Supreme Court County mediator, I handle small claims disputes over credit card debt. Credit card companies will charge off a debt and a collection agency or attorney will purchase the debt. After rounds of phone calls, the collection agency and or attorney will file a law suit. Defendants will face off with an attorney. As a mediator I handle the discussion between the disputing parties. I am guessing there may be more defendants will use the data breach as a claim on the debt that was charged off. It is something to keep note of.
10
What's it going to take to make these companies respect our privacy? Clearly the financial penalties are easier for them to pay than fixing the problem.
6
Perhaps no one was paying attention. The alleged miscreant almost surely has poor opsec, so a real data thief only has to steal the data from her... she takes the fall, they take the valuable data.
Personal data should belong to the person, with retention by a corporation only as long as there is an ongoing business relationship. Oh wait, this is America, we are the product ("It is for your own good!"). Why does Capitol One have application data from 2005 still on its servers? One hopes the associated person is still a customer, although this being Capitol One that seems to me doubtful.
6
I realized that crime will continue unabated when the announcer said...'up to five years'. Seriously? This should mandate a federal sentence of 10 years and a 1 million dollar fine along with a lifelong ban on anything computer-related.
18
Amen. These sentences are way too light.
4
It's beyond time for all of us to stop giving away our personal information. I was in a store Saturday. I made a small purchase. At check out they asked for my phone number. When I asked why they needed it, I was told for rewards purposes. I said I didn't have a rewards card, and didn't want one. Then I was asked if I'd like a paper receipt or have it emailed to me, which would require me to give them my email address. I took the paper receipt. We MUST stop going away our personal and private information. It's time for people to get off of all social media. It's the name of our existence. We strive for privacy, yet are willing give to away our most private information without any thought about who might get it and use it. Enough already!
16
@Michael Why the focus on the means, and not the perpetrator? Regardless of the fact that she is probably white, and upper middle class, she's the criminal. Not the card carriers, and not the card companies. If this were a common mugging, in say, Baltimore, I doubt that people would be saying "pedestrians need to watch themselves better."
2
@Michael Fair enough, but doesn't NYT have your email since you posted a comment?
1
Companies that have private information and are vulnerable to data breaches should hire more full-time internet security experts and buy more firewalls. But that costs money and would eat into profits. Not only should the hacker be imprisoned, Capital One must compensate the 100 million people whose data was breached. Let's see the savings then.
8
I love when the CEO of a company involved in messes like this immediately come up with the "I feel your pain" (remember the gem with Anthem? Sounded really sincere..not), kind of reminds of the scene in Dr. Strangelove "no, Dmitri, I am not saying I am more sad than you, we are both sad"
the hacker in question should have the book thrown at them, one of the problems with hacking is it is treated as a lark, those doing it often end up being signed on as 'security consultants' after a slap on the wrist. One count of computer fraud? How about 100 million? She should be put in Supermax for 20 or 30 years, that is how serious this is.
And when is the government going to realize that cyber crime is no longer a joke, and that with our whole world now digitized, companies have to be held to standards when it comes to security and data protection. In the securities industry, exchanges and other firms are required to demonstrate that they have appropriate security and face severe consequences if they are found lacking, when is corporate america going to be held liable? Anthem's penalty was a joke, that 650 million dollars is not a deterrent, 300 million goes to the lawyers, and of the other 350, relatively little will ever be paid out...so where is the deterence? As opposed to billions in fines and being required to show vigilant security.
15
@music observer
The reality is that hackers are invaluable in showing a company their weaknesses.
A far better solution is for financial companies not to put so much worth in their clients' credit ratings, and the literally millions of data pieces that make up a credit rating.
Information is valuable only to the extent they assign it that disproportionate value. Europe survives just fine without placing such god-like importance to evaluations from Equifax, etc.
There's no reason that credit agencies should be private corporations, making money from selling customized credit ratings.
So either disband them altogether, or legislate that information to be worthless.
5
@music observer
Accountability at senior levels is not something we Americans care much about. The Vietnam War, the 9/11 attack, the collapse of Wall Street fraud, the war in Iraq, the war in Afghanistan, the semi-war in Libya, the opportunistic dictatorships in Cental America and around the world. and a final glide path of global warming. It's a crowded little stage we've built for ouselves.
5
She has something better to do now.
9
Another instance of poor mental health rearing its ugly head on society. Unfortunately, most people with issues fly under the radar until they do something drastic. And rarely do they do much to avoid capture or their own death.
9
@Rob D Why is this a mental health issue? Does that make all criminal activity the result of mental health issues? That's the excuse used by the NRA and their supporters to prevent meaningful gun control legislation from being enacted. This hack is not the result of mental health problem. It's because a really bad person decided they were going to screw with the system, just to see if they could do it. It was all fun and games to this woman, not the result of some mental health defect.
The government isn't protecting Americans with laws that address our security. You can blame Citizens United. It should be called, "Corporate Greed" The Supreme Court is a conservative joke.
15
what's not in your wallet?
11
Guess what...Your personal information is not safe!
Name one big corporation or government that has not been hacked. Also please consider the many hacks that are not reported. It truly feels like all our money and personal data are being stored in a flimsy wooden safe with a fancy plastic chrome door.
We might start to think that this is not the right way for humans to organize essential data.
6
Another free legal pass for Capital One and America's largest corporate welfare queens for gross incompetence and failure to do its job of protecting its customers data.
Fine the corporations.
Fire the CEOs.
Make them legally responsible for their gross negligence.
And let Congress share a prison cell with the CEOs to better understand that they are also guilty of gross negligence by ignoring corporate gross negligence for the last 20 years.
12
@Socrates Interesting approach. I agree fines/firings are in order. I'd like to hear your criteria and logistics for imprisoning the thousands of Congress people who have served over the past 20 years. It seems you are recommending we go back to 1999 and imprison every Republican, Democrat and Independent who has served regardless of their individual performance and/or efforts to implement bills to improve information security, etc. Or are you just venting? The person who hacked in previously managed the servers she broke into. She had insider information that enabled her to exploit the situation. It will be interesting to see how the investigation goes, did the offender put a back door in place during her previous work with that data, etc.?
And the people say... AMEN!
Last night I found out that someone was globetrotting on my dime. I called Capital One and they said it was unlikely related to the hacking. Pretty coincidental, though . . .
4
Come on. Why would your anecdote be more than coincidence?
1
Hackers are glorified for their so-called expertise. High tech companies and learning institutions host “hackathons”, movies romanticize hackers as brilliant, misunderstood geniuses. It’s just another way for attention seekers to feel special or validated.
I hope this woman can find a good home for her cat before she goes to prison.
19
I don’t know the psychology behind why people hack - monetary gain and a sense of power/control not withstanding; still, I would think secrecy would be paramount - this woman simply sounds mentally unstable.
10
Instead of " What's in your wallet? the new Capital One slogan should be:" Who's in your wallet"?
151
Honest question: why is it that knowledge of someone's SSN is in any way a problem for THEM? Shouldn't the businesses and institutions that designed and profit by use of a system of transaction based on such easily-purloined information be the ones who are at risk in cases of stolen credentials?
11
We are well into a dystopian existence that like the frog in the heated pot, we didn't notice it was disastrous.
Those of the hyper rich, lets say hundreds of millions of dollars of net worth, may be able to carve a safe existence, with distributed investments in property around the world. But as our essence, our unique identifiable being, is now represented by analogues, or a massive data base of our image (to be animated with voice) and no human who actually knows us in person, like a bank manager of olden days (a few decades ago) there is no possible protection.
Think of the NSA, which only took a single individual out of the thousands of employees to divulge the most secret information. And ultimately there must be that back door for an expert to have access to all data and programs.
No matter the degree of security, these are people, with families, and children who ........ I don't want to be explicit in this scenario, but this nightmare is on its own track. Perhaps our unique DNA could be an ultimate source of identification, at least until some evil genius spends the two weeks to digitize a sample
7
Is it time for long jail time for those who do these kinds of things? Maybe it wouldn't be so fun and attractive to get this type of attention if these hackers knew that they were facing many hears in prison. I'm usually not a proponent of jail for non-violent offenders, but because this type of thing can ruin lives, savings and retirement for hard-working people, something needs to be done. This woman was boastful. It's nothing but a game and she doesn't seem to care who she hurts.
11
Why is customer data not routinely encrypted? The standard of data protection in the USA is abysmal and truly reflects the lack of customer care by major corporations.
3
@Tony N
Customer care is a cost to a corporation. You know the rest.
2
I'm wondering if Capital One is going to have to change their TV ads. You can hardly be asking "What's in your wallet?" when the wallet has been emptied by a hacker.
10
I would like to see a report in the Times about the extent to which people are hurt by these events and how that has actually happened. And when that does happen, how do the banks respond?
All I've read is this story which runs every three or four weeks with, more or less, just the name of the violated corporation changed.
I would search for this myself but I'm too busy changing my passwords again.
11
If this fairly ordinary hacker could get into Capital One, who can possibly believe Russia's GRU can't do whatever they please with the many varieties of out-dated state election software?
I've read that at least ten states have no way to verify the election results that appear on their computer screens. And that another dozen may have some checks, maybe.
So with McConnell, Trump and an all-GOP cast doing all they can to block legislation that would shield voting software from foreign hackers, I think we can skip all the election hoopla and just ask Putin who won.
A real time-saver!
27
@Bill Banks
For starters, because state election software is not connected to the internet, like Capital One and any firm that uses cloud-based servers.
@Bill Banks
She is not an ordinary hacker. Re-look at her computer skills and experiences. She has had the accesses and the tools.
6
@Viv yes it is.
1
As scary as these security breaches are to victims like myself, I can't help feeling that the hackers have a Robin Hood-esq veneer to them.
As long as the hackers don't distribute the ill gotten information I believe that they are performing a service to the target company. They are exposing vulnerabilities in corporation's security systems which could easily be accessed by another person with nefarious intent.
Sometimes we just have to avoid looking a gift horse in the mouth.
1
@DA Mann,
DA, There is an entire industry of White Hat hackers whose job it is to discover vulnerabilities and penetration test security systems. Security researchers consistently discover misconfigured firewalls, servers, and web apps, and disclose the vulnerabilities through proper channels to the victim company, or, if the company is unresponsive, to the press. Sometimes these researchers are compensated, sometimes they are not. These are the Robinhood characters. Not this buffoon who stole data for personal gain and notoriety and threatened to disseminate it online.
3
@Jeff
No one does this type of work for free, or paid solely by a university stipend. There is a natural conflict of interest in hiring a white hacker. It is the same problem you have with hiring consultants.
You're not paying them to tell you what's wrong with your company; you're paying them to provide the suggestions management hinted at, but doesn't want to take responsibility for.
Dollars to donuts I bet you Capital One tells their board that they were given a clean bill by a white hacker.
Since I have accounts both at Cap One and BoA, following every online purchase I go to one of those accounts and pay the bill immediately. Other purchases, the card is paid in full each month.
Being federal employee during the OPM data breach and having the credit monitoring while also having setting on each of my accounts for financial transactions. If anything out of the ordinary occurs, I immediately receive an email.
5
Slaps on the wrist, small fines, and class actions suits that yield next to nothing has become the norm with these companies; banks, credit unions, credit bureaus, credit card companies and retailers. All just issue some empty apology, meanwhile a person's personal data is on the dark web.
I have not had an account with Capital One for years, bu I know thay my data was breached. They keep sending me credit card offers, which means they have my data.
I froze my credit reports long ago, because of the T-Mobile/Experian and Equifax security breaches. But, I know my data is out on the dark web, just by the virtue of the SPAM I get. I have a personal mail server, and I blocked access to it from China, Russia, Iran, and North Korea. North Korea was easy it only has one subnet.
For all my trouble, I receive $20 from the T-Mobile mess, and I may be lucky to get $125 from Equifax. Far short of the $200 or s a year I pay because of corporate irresponsibility with personal data.
What is even more maddening all these place are certified to be SOX Compliant. Apparently, these companies do a lousy job with securing their networks and severs. In teh case of Capital One, not monitoring teh actions of their own employees.
Meanwhile, our government continues to deregulate and look the other way. They are too busy building walls, spewing racism and dividing the country for their own personal financial and political gain.
For me, I will probably get $10 settlement from this fiasco.
20
@Nick Metrowsky
They send credit card offers to everyone in certain geographic locations - typically poor areas where they know that credit is poor.
Their target market is people with poor credit ratings, who are likely to fall for their deceptive marketing.
4
@Viv
That is not totally true. I have an excellent credit rating. And, I do not live in a "poor area". Boulder County has a mean income of over $90,000/year.
@Nick Metrowsky
Being in a rich area doesn't insulate you from having a poor credit rating. Their data science teams were considered top notch even 10 years ago in targeting profitable customers. TD Bank wanted to acquire them solely for their abilities, but they were unsuccessful.
1
In earlier iterations of social organization, crimes that were deemed to strike at the heart of the economy merited capital punishment. Couldn’t resist the term. Debasing the currency (counterfeiting) in ancient civilizations was treason. In the Old West horse thrives and cattle rustlers we’re hanged. More recently when cars replaced horses, grand theft auto had a longer sentence, and carjacking still does. Many of you would disagree, I am sure, but the public hanging of a hacker would go a long way to dissuade hacking for a thrill and hacking for profit. It would not dissuade governments, but at least the private hacking entrepreneurs would think twice, probably more than twice. For example this woman. Would she have done a thrill hack if someone else had been recently and publicly executed for doing the same?
7
@Paul you made sense until you got to the hanging part, the evidence doesn't support your claims
1
@Paul Would the NSA do that to one of their own?
Article fails to specify exactly what harm was done, other than the bank having to pay for security for outraged and nervous customers. What exactly can be done with all this data?
4
@JimBob There is a gigantic black market for personal information of all sorts on the Dark Web. The information can be used for all sorts of things, ranging from the petty (online shopping) to the nefarious (identity theft). SSNs and other personal information is bought and sold everyday on certain websites (e.g., 100,000 CC numbers with three digit code for $XX).
1
@JimBob
Depending on the data accessed then bank accounts may be opened in your name, other credit cards applied for in your name, payments made for online services (some of which, because they are in YOUR name,) may be of very dubious types, all causing your much time, effort and distress when you try and clear your name and credit ratings. And that's just for starters.
1
@Srini
The vast majority of stolen data wasn't CC numbers. That was only ~140,000 cliens out of 100 million clients.
The information stolen in this hack is valuable because it gives you an insight into how they evaluate their customers for credit. Capital One was/is notorious for targeting people with problematic credit and making money off of them. This is valuable corporate intelligence.
Likewise, Equifax and the rest of the credit bureaus is extremely opaque with how they determine a person's creditworthiness. In any fair and just society, that data should be as open as the free access to laws everyone has.
2
“The bank also said it expected that the breach would cost it up to $150 million”
They figured that into their decision-making on whether they should upgrade their security system, and then said, “ we will just pay the fine”.
How are bought and sold politicians couldn’t care less about our data being stolen.
12
Serious jail time or this never stops.
Ironic how every electronic system we develop ends up accomplishing the opposite of its intended purpose. The EMR, on line shopping, email, cell phones, GPS, etc
The lack of trust in these entities will lead us back to the early 20th century, bringing back snail mail, land lines, maps, toll collectors, catalogs, real people answering phones. Just wait until the hackers get into the self driving trucks and cause a jam-up on the George Washington Bridge (Oh, yeah. Christie already did that.)
20
This is a huge issue for AWS. I’m a software developer certified in AWS solutions and one of their major selling points is that data is secured for your business only. That this was able to happen blows a huge hole in the idea of the public cloud being safe.
Remember that AWS has contracts with our national government. And other governments.
20
@S - Settle down. Read the story. "Amazon said it had found no evidence that its underlying cloud services were compromised." Yes, that would have been the lead headline, if AWS was compromised.
4
@S What most likely have happened here (I work on AWS too) is a software misconfiguration on the part of the customer. Every customer has to be vigilant- even after you design your architecture and implement it in the cloud (or on your own servers) you need to have people from the outside inspect and audit and bang on it before you can be even remotely confident you've secured it adequately. AWS gives a huge attack surface and it's trivially easy to misconfigure security settings on something like an S3 bucket so that the world can read it.
7
@Character Counts
AWS would never admit it if their cloud services were compromised. Too many companies rely on their cloud services.
7
My wife and I have an enviably high credit rating that is perversely based on our having considerable available credit on the many credit cards we have accumulated in our 50 years of marriage. We pay off statements in full every month, and never carry debt. But we have been warned that if we dropped underutilized cards, our credit score would go down. This is a feature of the algorithm used for the computation that seems intentionally to encourage loose credit.
Fortunately, our relatively few credit card uses per month per card means we won't miss strange charges. I once found and reported a bogus $0.27 charge and got a new account number, and my wife the same with a small dollar charge with a phone number traceable to Eastern Europe. Few others would bother. You could make serious money defrauding millions of people tiny amounts that go under the radar. I missed my calling, it seems.
28
@VJBortolotYou can drop a few cards and your score will bounce back up after a few months. I also recommend getting new cards every 6 months so that is one is compromised it's a dead card
6
Then again, if you're paying everything off every month, why worry about credit - and a credit score - in the first place? I miss the days when we had a friend at the local bank (working there for years and years) who would write an unsecured loan whenever a little help was needed.
7
@VJBortolotYou can drop a few cards and your score will bounce back up after a few months.
The case for paper election ballots.
Ongoing cyber-security breaches identify the risks of not having a paper record.
There is no need to know the results of an election a few minutes after the polls close. Let's count ballots and then report. And yes, I am no fan of exit polling either.
(An aside: pre-election polling had Mike Capuano winning his primary by 10+ points before he lost to squad member A Pressley.)
14
On a portable disk drive, my data is one accident away from being lost forever. That’s why I have a duplicate drive in another location. Cost for two external 1-TB drives? $120 with a 3-year warranty and probably a ten-year lifespan. Who can get to that data? Just me.
Storing data in “the cloud” sure is cheap and easy. You’ll never lose it. Of course, if one of the data centers that makes up “the cloud” has a disgruntled employee, or a financially-compromised employee, or a careless employee, or an incompetent employee, or if someone leaves the door to the data center opened, or if someone configures a firewall incorrectly, etc., etc., well, then all of the world may see all of your data.
But what are the chances of that?
12
@NorthernVirginia Just not true your portable drive is not vulnerable. If your computer is connected to the web, the drive can be accessed remotely like an internal drive. We'll all get hacked at some point, whether through your credit card company, your bank, your town's tax office. Just get used to it.
5
@NorthernVirginia Flash based drives can last decades if not written on constantly. Old style plater types, HDD's, can die due to mechanical parts. Always fully encrypt your hard drives also ;)
5
@Andy
One is in a desk drawer and one is in a safe in another State. Good luck to the hackers.
As long as there are no substantive federal laws penalizing corporations for lax security when cyber breaches happen -- these cyber breaches will happen continuously -- which they are.
17
Let the record show: cybersecurity is one area where the private, free market has decidedly failed. Republicans are always going on about how much better private industry is, and how government is so wasteful and incompetent. Well, it's not the federal government that has lost sensitive info for hundreds of millions of people. That was Yahoo, and Equifax, and Marriott, and Target, and eBay, and Capital One, and numerous other titans of industry. For twenty years now, we've been watching them give our most sensitive information away to criminals while we praise them for their supposed superior competence. Can we now at least admit that there are some things private industry doesn't actually do very well? Could it be that we need strict regulations on how companies store our private info? Because leaving it to their own devices doesn't seem to be working...
653
@g
To be fair, the OPM was also hacked.
37
@Chris Before too long some GOP stooge will tell us that we can't have any more of those "burdensome government regulations" that interfere with the ability of business to make money. (Then bribes get dumped in the form of campaign contributions into GOP coffers). "Burdensome" is the dog whistle oft used by the GOP when they intend to spike any attempt at government oversight of business.
115
@g This keeps happening because these "titans" of private industry refuse to pay for the security to prevent the hacks and loss of information. As long as the fines they receive are less than what it would cost to update and add on security they will gladly take the fines. Let's ask about their shareholders. They are complicit in these hacks because they don't demand the security.
28
"What's in your wallet?"
Somebody else's hands!
37
The thing that gets me is the wanton abuse of authority and privilege by the Federal Bureau of Investigation! What right does law enforcement have to monitor everyone without first, a reasonable suspicion of a crime. Then, probable cause of a crime. And then a strong argument to a judge or magistrate to obtain a warrant? What the heck happened to due process in this dictatorship of a country? I have really had it!
6
@John
It is known as probable cause, hackers talking online is not private conversation, and if they have probably cause a crime is being committed they have the right to investigate. When they searched the alleged hackers apartment, they had a warrant likely, with probably cause from what the twit posted publicly.
2
Every time someone in an ad for Capital One asks "What is in your wallet?" I scream None of your business!". Now I will scream even louder.
11
The tagline "What's in your wallet" just went off the irony chart.
15
I was concerned when I read this headline. However, this looks very much like someone trying to get attention instead of organized crime so I feel much better. Corporations, particularly financial ones, can afford to put more money into their systems to secure the data better and they should hire more permanent employees instead of contractors when they expose intimite knowledge if their vulnerabilities. I don't blame the show off hackers, I blame the greedy corporations and their halfwit leadership.
5
Unfortunately, it appears she shared some of the data indiscriminately. That is where the problem is.
8
Why not blame the show off hackers too? They know that what they are doing is wrong.
1
@CR Hare--Do you blame the burglar who breaks into your home and steals your property? Do you blame the thief who steals your car? Picks your pocket? Why are you and everyone else so quick to blame the victim here? Just because I park my car on the street and forget to lock it doesn't mean it's ok for someone to come along and steal it. Yes, Capital One may have had a weakness in their system, but what gave Ms. Thompson the right to exploit that? She's a lowlife and a thief. She deserves prison time and for this to follow her around for years, affecting her job prospects and her ability to live a normal life. There is nothing lower than a thief, in my opinion. Taking someone else's property just because you can is despicable. It's easy to blame these giant companies, but if you're willing to let Ms. Thompson off the hook, then just open the prisons and let out all the other thieves that have taken what isn't theirs. Thompson caused this mess,not Capital One. She committed a crime, and she should pay for it.
2
It is curious to me that the data breach says 100 million people. The population of the US is just over 300 million. Is there actually 100 million Americans with a Capital One credit card? how many Capital One credit cards are issued in other countries? It just sounds like a fantastic number of people that the headline states.
8
@R.L.DONAHUE
My thoughts exactly. The US population in now like 328 million, but about 25% are age 18 under. That gives abut 250 million adults. How could they have credit applications for 40% of the adult population?
Checking I find they only conduct business in the United States, Canada, and the United Kingdom.
3
@R.L.DONAHUE - Applications included.
To the person below, there is no "clean[ing] up" this mess. Once your info is out there, it's out there. The damage is permanent, and could hit you throughout your lifetime. In fact, many data thieves sit on such breach data for many years, so when it finally happens, you are completely blindsided. You may be able to clean up individual attempts to steal your identity, but the overall horse has left the barn. Until Congress gives the American people some means of securing some of their data (e.g. a PIN code for all taxpayers, social security numbers, not just their "demo" states), we are open to any type of attack. I wouldn't hold your breath on Congress.
11
...”we believe it is unlikely that the information was used for fraud or disseminated by this individual.” There is no reason to trust Capital One’s belief when we’re supposed to trust them to prevent this from even happening!
11
So if I understand this article correctly Ms Thompson has some computer skills and inside information about the Capital One/Amazon operating system and had noting better to do then to show the world she could hack into Capital One's database puting 100 million customer's financial information at risk. Why? To show that she can? Is she auditioning for a better cyber security job?
Anyone with significant information about the security of any database and has some computer skills is a risk. Capital One does bear responsibility, but in reality Ms. Thompson's lack of compassion for her fellow man and what appears to be an extremely boring life lead to this crime. She should be charged with 100 million counts of computer fraud and abuse.
23
@VMG - Auditioning for Putin? And, yes, 100 million counts sound a lot better. One hour served per count.
2
@VMG More responsible reporting would have clarified that Ms Thompson is male, a man pretending to be a woman. The motivations for this crime appear to involve a wish for attention as much as anything.
7
They’ll make a big show of prosecuting her. There will be a book and a movie and maybe a show on cable
We should all pay attention to the big picture. They will not put any legislation in place to stop this, they will not prosecute anyone. They won’t do anything
9
Democrats and republicans alike, our society is becoming morally corrupt. This started long before Trump. Will Americans be able to reverse course? Probably not. Only the most sophisticated nations seem to be relatively peaceful, and even they struggle.
7
@Will N
In the article it is stated:
“I am deeply sorry for what has happened,” the bank’s chief executive, Richard D. Fairbank, said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.”
If past patterns of dealing with decision maker culpability are followed, Mr. Fairbank's statement he made will probably be the worst punishment he will experience.
If this hacking does turn out to be something more, maybe he will be fired. But in that case, he will probably receive his severance and certainly all the money he made while the hacking was occurring.
Herein lies the problem.
19
Well, it appears the hacker got the attention she was so desperately seeking. And, Capital One and Amazon got even more promotion of their services. Good for them!
4
Three thoughts:
First, if the Equfax settlement was for about $650 million relating to a hack of 147 million accounts, why on earth would Capital One think a hack of 100 million accounts will cost it $150 million? When the dust settles, no doubt that figure will be higher.
Second, let us not loose sight of the fact that the hacker was an Amazon Web Services employee. Amazon will undoubtedly be brought into this. Although the Capital One program was build on top of the Amazon server, Amazon had the obligation to supervise the activities of Ms Thompson. Clearly Amazon shares culpability.
Third, this has got to stop. Account holders are sick and tired of periodically having to go back and check account activity, filing for a credit freeze with each of the three major credit agencies or - if an account holder is unlucky - attempting to straighten out a compromised credit record. It is time for the federal government to attack this issue and formulate appropriate legislation.
14
@The Arizonan - They said she was a previous employee of AWS, and did not indicate she was working for AWS during the breach. They indicated that the underlying AWS infrastructure was not compromised, but the software Capital One installed on top of it was the culprit - that's how the thief accessed the data. I don't think it's clear at all that Amazon is culpable.
14
@Character Counts
It may matter little if she was a current or former employee. If a former employee, she gained the knowledge on how to compromise the system while employed. Amazon has the obligation to insure that both current and past employees (using acquired knowledge) are precluded from compromising the system.
5
@The Arizonan
The Senate, and Mitch McConnel will not even vote on legislation to protect our Elections from Cyber attacks. What makes you think they care one iota, about protecting consumers? The Republicans only care about protecting their big donors and financial instituations.
3
Several years ago after the Experian and the Yahoo hacks, I decided that hacking re credit cards could not be stopped. My solution to the problem was to purchase a million dollars worth of Identity Theft Insurance from AAA for about $6 a month. No worries now!
3
@Dave - Data breach data can be used in MANY ways. It may go far beyond affecting you just financially, and it may go well beyond a million dollars. Yes, you have much more peace of mind than most, and more bases covered, but you are not totally out of the woods.
4
@Dave I doubt if AAA would sell me anything that cheap; simply based on my zip code..lucky you
@R.Terrance Well, as you might guess, the odds of being targeted by hackers are quite low. Check AAA out. Best--Dave
Why does Capital One have 14 year old applications on file?
Has anyone questioned their data retention policy?
52
...and do these old applications that were breached include old applications of people who didn't get a card or cancelled one?
4
I am not a software engineer. However, a real problem I see, is the use of Social Security numbers as a means of personal identification for financial service companies, and other organizations. Social Security, was never intended to be used in that way. The linking of those numbers makes all of us financially insecure, and vulnerable from the moment the number is issued and used for identication, with non-government organizations.
75
Agreed. I'm a UX designer and would push back on why we were asking for social security numbers as login or account creation information. I never got very informed answers above it's standard practice that someone half heartedly suggested and now nobody wants to change because "reasons". Probably the company not wanting to spend the time setting up 2 step Verifications.
Most companies have a very slap duck tape approach to building products and building it secure and right never tends to beat ship a minimal viable product. I can bet if I bring up this data breach to the guys building our own Amazon service web integration I'll get a bunch of blank stares and doubt they'll change what they are already planning on doing. Surprised data theft by former employees isn't more common.
10
Paul, you are very right: the use of Social Security numbers is a lazy approach, and very invasive. The British economy, with an extremely high participation of American companies, uses no national Insurance numbers in its credit or banking processes, and somehow manages just fine. US firms will know from their experience of the U.K. exactly how to cope.
7
The huge numbers indicate that there's a very good chance that in the Equifax breach as well as this Capital One breach my information was included. I've never willingly had anything to do with either of these sleazy companies. "Applications" implies 100 million people applied to Capital One for one of their credit cards with the rip-off rates and charges. So the first hacking was when they got my information and began using it against me. The second hacking was when one of them applied bogus information to my name. The third hacking is when they unilaterally decided that nothing I had to say about their practices against me meant nothing. The result is that for at least two decades I've already had my personal information hacked: by Equifax and Capital One. Capital One is also a company that once every month or so sends unwanted litter to my house. So what ever is done to the current hacker should also be done to the CEOs and top management of these companies. As a victim there's no difference who tries to steal my good name or my wallet--they're all crooks.
26
The criminal consequences for financial and data-related crimes need to be increased. Their impact on society is far greater than someone who steals a television and yet the penalties for the latter are more stringent. The idea that no one - not a single person - at Wells Fargo is doing jail time for opening millions of fraudulent accounts that bilked customers of hundreds of millions of dollars is legitimately laughable.
46
Why haven't Capital One customers heard directly from them? Why do they hear about this over mass media? That shows how much they care. I'm a long-time customer but I may have to change that - is there ANY bank that hasn't been involved with a major hacking incident?
25
@Renee Hoewing
There was a note about the whole fiasco when I logged into my Capital One app this morning.
Capital One mentions nothing. They will receive no punishment or fines. But, all those folks whose data was stolen will have credit issues that will last them for years because it will take years for them to clean up the mess that Capital One create.
17
@kmgh
Unless the fine is the total $1.5 billion of increased profit this year, it will be meaningless.
To be clear, I'm only after the increase, they can keep the other $32 billion, because that's the kind of guy I am.
12
Capital One will probably lose 1/3 of market value just for damages if you consider the average Equifax payment of $125/user. But I agree and hope a bunch of C-levels are also made accountable, starting with CISO and his Sec Architecture folks, COO, CRO, CIO, etc.
9
@kmgh--Why should Capital One be punished? Ms. Thompson caused the mess. She's the one that should be sued. This should follow her for the rest of her life, making it impossible for her to work at anything but a meaningless job for minimum pay, after she's released from prison, that is. Capital One may have had a "security lapse," but that doesn't give Ms. Thompson the right to exploit that and steal customer information. There's no creature lower than a thief, whether it's customer data online, or picking a pocket. Ms. Thompson is despicable.
2
Capital One is the shark of the credit card industry. Not very optimistic in the responses nor remedies that it would offer its customers whose information was hacked.
9
These companies need to be fined based on a very specific formula - size of breach TIMES severity of data breached. This type of breach should be (close to) financially devastating to this company. Equifax should have been put out of business based on the amount of data compromised - instead they get a capped $700 million joke fine. No slaps on the wrist - make it extremely painful. That's the only way they will start to take these breaches seriously, pour their vast resources into top notch security practices, personnel, and software, keep all systems up-to-date, and put every effort into preventing breaches.
28
@blocker Will that hacker do jail time or will she be hired by a cybersecurity company? Asking for a friend.
3
These data breaches unfortunately will continue and all the hapless consumer will get as compensation will be many lifetimes of free credit reports. Can't pay the rent with those.
13
I believe Equifax "breachees" who already subscribe to a credit monitoring service can get cash money from Equifax.
@Mondoj Man
Who needs universal basic income when we get cash from breaches? UBI - universal breech income.
Given how much information she had to leave to be caught, it makes me wonder if the FBI and other law enforcement agencies are equipped to deal with hackers that don't -- intentionally or unintentionally -- leave such an obvious trail of bread crumbs to their door.
21
Why did I learn about this from The New York Times instead of directly from Capital One? Where's the customer service?
166
@The Heartland If you go to their website, there is a link to learn more about the "cyber incident." What a benign way of putting it.
18
@The Heartland
This is exactly what I was just going to post!
3
@Jules
That's the point. Why should I have to go to their hideous website to learn about this? Where is the email marked "Urgent---Please Read"? Why was there no an auto-dialer phone call? A text message?
5
How bizarre that someone so intent on violating everyone else's privacy would be so stupidly lax with her own. She drew prosecutors a map to her door.
16
@Dan
Paige Thompson wanted to be caught. That is the badge of honor in her realm.
4
@mari His realm.
The hacker sounds manic and erratic.
10
But did she steal the personal information of the CEO?
That’s the identity I want.
59
There is only one rational response to this: massively increase the cost of a data breach for corporations that hold consumer data.
Once the data is breached, that consumer's privacy is lost forever. It is no different from a Hit and Run.
34
@Kumar Ranganathan I agree wholeheartedly with your remark. Unfortunately, that will never happen while the GOP controls the presidency, senate, and most of the supreme court.
10
I have had a Capital One card "in my wallet" for over a decade as a primary card for travel as well as every day expenses. However, they have not kept up with the rewards I get on other cards. That, along with the fact I have had other unresolved technical issues logging into their web-site and through the app. For months it was constantly asking me to "update" my password even though it was a long, random one generated by my password manager. So frustrating because even when it was cleared it would come back within a month and Capital One couldn't care less. I stuck one repeating monthly charge on it and stuck the card in my safe. On top of that I had been having problems using it internationally trying to buy online tickets and the like. Again, other cards, no problem. Think twice with Capital One if you have other options. If you get in a bind with them, I doubt they will have your back...
12
It's very serious, the seemingly impossible task of keeping up with hackers, and it poses threats to individuals and all government agencies... I really don't think Capitol One would have taken security lightly. Maybe the time has come for creating silos for different information, so that cracking one will not reveal everything.
I suspect that some of the most vulnerable area may well be with telecoms, and utilities, who have recorded millions of SSNs and other info as a matter of course, but which are not as dedicated to information security as banks.
Still, I had to take a second to consider using Meetup as a conduit for getting together with others dedicated to creating havoc. And -Gee, I hope Ms Thompson's cat is well -and that she has a good foster home lined up for when she does prison time.
8
@cheryl
"I really don't think Capitol One would have taken security lightly."
Obviously, they did.
Just as obviously, they chose to.
Also obviously, they have to pay, mightily.
5
@blocker
Some believe exorbitant interest rates and the privilege of seeing Samuel L. Jackson every twenty minutes are Capital One's business. But they're not.
CapitalOne, before anything else, sells one thing: security.
They spend billions promoting trust, and make all their money on that basis. They failed to provide it.
It doesn't matter why, or who's to blame, CapitalOne sold a product and did not deliver.
As the apologists here note or imply, its why CapitalOne gets the horrendously big bucks: they take all the risks.
As laughable as that mantra has become in the face of sordid corporate reality, that means its time to CapitalOne to pay up. Its Big Time for CapitalOne to pay up.
They should make their customers whole, which means they should do the hard work of straightening out all these credit histories, and they should compensate them generously for the trauma, the pain, and the lost opportunities imposed upon them.
CapitalOne made a record $33+ billion in profit this year, their employees will be fine if their bosses want them to be.
4
Just in: In the aftermath of the data breach at Capital One, the company has changed its advertising slogan to: "Capital One - Now everyone knows what's in your wallet."
66
The only way to force corporations to take data security seriously is a very real threat of jail time for executives. Nothing else matters. They see it as a cost overhead, they don’t care about fallout, or customer anger, or customer identity theft.
I’ll bet their CEO gets his multi million dollar bonus as usual this year, submits to no hostile media interviews and pats himself on the back for his crisis management skills. Why would such tame consequences for threatening the financial security of millions give any of them pause?
53
A constructive penalty for this should be to put this young woman to work defending our elections, since Moscow Mitch and his ilk are doing nothing about this threat to the the core of our democracy.
40
There are never any consequences for the companies that continue to fail us time and again. Oil spills, data breaches, personal information leaks, the list goes on and on. Settle, pay a small fine or keep the matters in litigation for years - its the cost of "doing business".
I am sure that if the executive office was criminally charged, we would see a dramatic improvement in "business practices".
71
"what's in your wallet?" Nothing anymore I suppose.
21
Take a look at this roundabout non-statement from the Cap One website regarding the cyber 'incident':
"No bank account numbers or Social Security numbers were compromised, other than:
About 140,000 Social Security numbers of our credit card customers
About 80,000 linked bank account numbers of our secured credit card customers"
Nothing was compromised. Nothing!....except for.....
24
@John Morley
"...secured credit card customers"
Hee-hee...
1
I guess this makes the case for the use of Blockchain. no central repository of your data. just an anonymous encrypted key.
9
What’s in my wallet? Apparently not my money anymore.
7
I am a software developer and educator, and I can tell you, even if the server is hacked, there are known and widely used approaches to encrypting private data. Yes, it requires additional work to develop and maintain, but that's absolutely no excuse for a company the size of Capital One. They should be slapped with a huge fine for gross negligence.
Given just how important software is, I think it's high time we treat software developers like engineers and require them to be licensed by states. It's a huge debate right now
and there are a lot of unknowns, but let's start this debate. It's just too important of a topic to sidestep!
197
@dave
I work in cyber security. It's not that easy. Sure you can encrypt the data but then you make it useless for the various applications to use it. Security is a cat and mouse game. Can you plug the holes faster than the bad guys find them? Security doesn't work in a bubble there are a lot of decision makers who decide how and what will be done to protect a company. So it's not right to blame the software engineers. Let's go back and blame and punish the bad guys who broke the law.
You don't blame the security guard when a bank is robbed. It's the same concept.
17
This is not down at the Engineering level; this is management priorities.
Just like the Challenger Disaster, etc.; look at the top for misplaced priorities.
RF, Software Engineer
16
@dave
Missy is exactly right.
Even if the data is encrypted within the database you need to have decryption build into the interfaces so that you can access and use the data where you need to within the application. No matter how long you make the encrypted data path, there needs to be points where the data is available in its raw form, and that is where crackers will focus.
8
When Equifax recently offered those affected by their own breach either $125 *or* free credit monitoring, I thought to myself, “I’ll take the cash because sooner or later some other big company will lose my data and I’ll probably get free monitoring from them.” So there you go.
13
I reject criticisms directed at these companies to imply that this is all due to cost rationalization etc.
We, consumers demand services at minimum costs and companies compete hard for our business.
These data thefts are like safety incidents where lessons are learned and you build a better system.
These thefts are "lagging indicators" to systems designers from which they will learn.
I live in Bogota, Colombia.
For life of me - it's hard to believe how my HSBC ATM card was used in a small town in Massachusetts that I had never heard of.
And then, it was used in a similar place in Oregon.
Luckily, HSBC had alerted me and nothing much happened other than a nuisance of getting new cards.
I think data breaches are equivalent to pickpockets in a major crowded city.
We must guard against them but to blame city administrators is going too far.
10
What's in your wallet?
Pretty soon, no cash! Hackers do irreparable harm to your credit and your good name. It would be nice if companies like Capital One and others making millions and millions of dollars off of us would invest a tiny bit of that money into improving security of our personal information.
9
As a software developer I can tell you that a lot of the blame for these security lapses falls on management. There is intense pressure to quickly build features & functionality that are visible to the end-user (customer) and/or increase revenue. On more than one occasion I've had to convince management that the prototype I built for demonstration purposes is not suitable for deployment into production. In their eyes, it works, so "let's ship it!".
68
@CS “Some” of the blame on management??? I’d say “all” of the blame is on management!
1
So one server had the account info of 100 million people? How many hours would that take to access? A week? A month? And all that time, the network admins at Capital One didn’t notice??
These are serious, inexcusable lapses in this bank’s security procedures.This is the equivalent of Capital One piling up 100 million dollars in cash outside of a branch on a Friday afternoon for a pickup on Monday morning and then returning on Monday to discover it missing, then discover it was in the basement of one single person but of course it’s all gone now.
29
If financial institutions who are the caretakers of some of our most personal, critical information, are unable to protect it, how in the world can fifty individual states with often flimsy grasps on cybersecurity, be trusted to protect simple, by comparison, voting machines & networks from a massive hacking?
Yes, this is off-topic but it's a clear example of how "free and fair" elections and our democracy can never really be guaranteed if banks, with all their protections, can't guarantee their own systems are secure?
Welcome to the future. It's very dark here.
82
I’m thinking of signing up to LifeLock.
Any helpful comments welcome.
2
@New World. I have Lifelock. While it has prevented people from getting credit cards in my name, it has NOT prevented people from filing fraudulent tax returns in my name - THREE YEARS IN A ROW! However, I don’t think that is one of the services they protect.
9
@Tracy
Good to know.
Thanks Tracy.
2
Engineers in computer systems should be licensed as are many other professions and required to keep malpractice insurance in addition to facing legal consequence for such misdeeds. And prison time. Does curriculum in the undergrad schools address ethics? They should. Her boast of 'wearing a suicide bomb' indicates she knew well of the harm caused by her intentional data breach.
18
@Mike Frank, this is nonsense, for so many reasons. First, very few projects are developed by a single developer but by several, all of which contribute to the resulting code. So which developer's insurance will have to pay up? What about the project leader (usually a program manager, i.e. a non-IT person), will you require malpractice insurance for him as well? Because in lots of cases decisions relating to features or security are not made by IT engineers but by management. And now?
I guess you'd also be argueing for malpractice insurance for cleaners....
But there is a reason malpractice insurance is limited to those that directly affect the bodily condition of a living creature.
4
This is what happens when companies "farm out" portions of their business to third parties. They lose control over who can access their information and how secure that information is.
In this case, some one hacked into a system that Capital One "rented" for its use. Did Capital One have sufficient security measures and encryption to protect its data rendering its information useless except for its own access? Obviously not!
Just like Equifax, Capital one will basically just get a lap on the wrist or even less.
7
@Ellwood Nonnemacher actually it's different than you described. To start with, for an individual company to build it's own cloud service infrastructure would be phenomenally expensive and complex. Thus they use services such as Amazon. Please read the article again. It was the methodology that the bank put together to use the Amazon cloud that allowed the breach, not the Amazon infrastructure itself.
17
I am in the midst of switching cable companies in Md.
I will not give them my soc sec number.
Despite Md. law requiring them to accept alternative forms of identification they are making it very hard.
I tell the drones on the phone I cannot trust their companies to safeguard my identity and credit information.
Only a fool would.
56
@Lawrence
These days, especially post-Equifax, it's a 50/50 chance your SSN is now public information no matter what you do.
Freezing your credit with the 3 credit bureaus is free in most states and it's fairly straightforward to lift when for a predetermined period of time when you are applying for a car loan, mortgage, etc.
10
@Lawrence At the oral surgeon yesterday, the standard form asked for my ss number. I didn't include it. Even though their office is an unlikely target for a hack, why bother include it?
9
@Lawrence Your name and date of birth is all any credit reporting agency needs to locate all information about you
3
It would have been nice if Capital One told its cardholders what they should do and how to find out if they were one of the100 million whose data was stolen.
131
Exactly! Like how do we know whether we got our stuff hacked, and where do we go from here? The security of my SSN is a BIG thing to be wondering about!
5
Are you kidding me? She did this world a big favor, particularly Capital One! We should have a system to encourae, channel and reward such hobby to enforce financial system and beyond.
3
@xz
Oh, good! I'm going to go hold up the store on the corner later this afternoon. Give them the opportunity to tighten up their security and gain customers' confidence. Only question is: Should I get a large coffee to go?
1
Oh dear, one less millionaire in Seattle...
2
100 million applications? How on Earth was Capitol One going to process that many applications? Wouldn’t it take years to do that?
4
@John
I'm sure those "applications" are in the category of applications addressed to you in your junk mail.
1
It was multiple years worth of applications, probably most of them already processed. The applications contain a good amount of information, and can be referenced when something fishy comes up to check for fraud. When you signed an application, you were liable for false information on that application, for as long as that account was active. I know that back in the 80s, when I lead the credit system programming for a major retailer (they issued their own cards until the late 80s), they still had all the paper applications stored away for reference, some over 30 years old. They did not have the capacity or processing power back then to store the information online, but they sure would have if they could have, to save storage fees and access time to look up the information.
4
@John
According to the article, the date breach itself has affected 100 million, in other words, the personal information of 100 million or so people has been compromised. However, *only* tens of millions of millions of credit card applications were stolen. For online applications, personal info can be quickly verified and then computer algorithms determines credit risk and credit limit, often in minutes. There's not usually an actual human there approving every online application that comes in, though some applications may be flagged for additional review. And if an applicant is using a co-signer, then there's an additional ssn and another set of personal info on that application.
1
Amazon Web Services "found no evidence that its underlying cloud services were compromised."
Right.
15
@Johnny
The Amazon statement is not that far fetched. When I've set up AWS security it provides some warnings when you choose less then secure access to your hosts. A sys admin made a mistake, and Capitol One did/does not have a robust attack vector screening program.
this hacker has done a public service, by showing capital one and other companies where their security faults are. give her a job, don't put in jail!!!
6
@Piedmont
While I am kind of sympathetic to Ms Thompson in the sense that probably her motive was more juvenile than malicious, she needs to grow up. Ethical hackers would either approach Amazon, her employer, or Capital One, her immediate victim.
What if your social were one of those posted on Github?
While I sincerely hope she has learned a lesson and becomes a constructive contributor to her profession, this is a serious matter. A lot of people's life are upended. Hundreds of millions of dollars will be needed for the aftermath. This is serious!
10
@piedmont Umm, she wanted to sell the data. Not exactly a public service to those whose data was stolen!
13
@Bos you’re right, except no one, I mean NO ONE, will believe her, as a woman without a name “Bill Gates”. This is the only way to achieve it and quickly.
1
Is Capital One worse at security than its competitors?
Would a identity protections service help for those whose information was stolen?
These are just two questions I wish this article had addressed.
6
@Concerned American
My data has been compromised three times: at a private doctor's office, at a state agency, and good ol' Equifax. I would say Capital One's performance hasn't been stellar, but there are so many other weak points that are vulnerable that worrying about one company is pointless (almost).
2
@Alan
My goodness, three times!
Have you gotten an identity protection service?
2
As a long time computer expert, I have always commented that for all the time and energy we save by employing technology, we lose it all in spades when there is a significant fault in the systems or a nefarious actor hacking the network. Despite these dramatic hacks of data for millions of user’s, it is always surprising to me that the primary cause of tech disasters and stolen info is users clicking on links in their email, texts or connecting with unsafe websites.
16
Is technology a boon or bane ? There are always two sides of a coin. She has used the wrong side of the coin. Has she done it to boast about her capability of hacking or what exactly is her purpose in hacking ? This article doesn’t explain it.
Hacking has put lives of millions of people insecure. This is not the first time it happened. There surely must be some solution to prevent such dangerous hacking time and again.
5
Privacy is SO twentieth century.
40
The cloud is the fog of the internet. Just imagine, one day everyone’s data...everyone’s data will be public to someone else.
I wonder what the cumulative income is to Capital One, compared to that of the lone hacker.
An entire department of nerds penetrated. No wonder the Russians, Chinese and North Korea are hacking away.
Get our elections offline. Do as the French. Paper ballots placed in lucite ballot boxes. We did paper once with hundreds of millions of voters.
116
Too bad with her skills she couldn’t have obtained Trumps tax returns. Now that would be cyber hacking for the greater good.
499
Exactly. My first thought was to wonder where the patriots are to hack that or Trump’s 2012 Samsung galaxy or Russian oligarchs or something else useful to our current situation. Wish I had the skill set.
22
1. Russian, Chinese, Iranians, Bulgarians, Estonians .... probably have already hacked the same data- and more. We just don't know about yet.
2. Doubtful if affected individuals will actually be notified. despite the company's 'promise.'
3. Any gov't fine will be no more than a wrist slap
4. Most of compensatory payments by CapitalOne to 'victims' will be to the lawyers; affected individuals will get no more than a few dollars ... but nor for 4 or 5 years.
5
@Rethinking
The truth most likely is that all of the data of everyone on earth that has been given to anyone with a method of recording it electronically is now in the hands of everyone else on earth. There is no taking it back.
1
@Rethinking
The truth most likely is that all of the data of everyone on earth that has been given to anyone with a method of recording it electronically is now in the hands of everyone else on earth. There is no taking it back.
What should Capital One secured card users do at this point to protect our bank account and other information? What will Capital One do for us?
10
For all the good the computer can do it may also be armageddon in a box.
4
What was in your wallet?
47
@Lawrence More like, "Who was in your wallet?"
23
Isn't the President a Capital One customer? He sued them to stop them from responding to a subpoena for his data.
3
"What's in your wallet", possibly the key to online thieves looting what little I have.
I am sure the comics will have a great time with that ad.
The rest of us, ordering credit reports.
4
Hacking or entrapment, PAT, whatever you say... Why the kid gloves around AWS and what appears to have transpired here, in the midst of Mr. Trump's well stated Amazon regulatory concerns and DoD's momentous Cloud Queen bestowing proxy? I don't recall the CEO of Oracle, Microsoft or IBM having their personal data breached? If it can happen to Mr. Bezos, what does that say about AWS and their "enter"prizing platform? Seems at least someone in the government cares to Flush that one out. Too bad it wasn't before the Capital One non event breach.
Richest man in world Prime Member Selfies, data breaches and costly system outages, largely blamed on client incompatibility issues and all seemingly ignored and dismissed, as the company's market capitalization appears limitless in the face of anti-trust claims and rich government contracts that should line a few more lobbyist pockets. It all just raises more questions as to why the industrial and oligarch owned media shelters some beholden but not others?
3
Recommend that she receives "Capital" punishment for her enthusiastic embrace of the crooked path.
19
@s.s.c. Life without Internet access.
15
Note that the Capital One breach once again involved a storage bucket at a public cloud provider. Will people ever learn? In my considerate professional opinion, corporate officers who put their clients' unobfuscated personal and financial data onto a public cloud system and trust the provider to encrypt and safeguard it are unfit for their posts. This breach is a logical and unavoidable consequence of the cloud migration strategy Capital One adopted in 2014; the question was when they would be breached, not if.
138
I believe that AWS is just the infrastructure that Cap One runs their application on. This is a purely Capital One mistake. Data should have been encrypted at rest as is required by PCI-DSS. Capital One did not follow the standards they are required to adhere to. Now the fun begins.
24
The internet takes the work out of robbery. Jesse James must be spinning in his grave.
14
Gee, would be nice if NYT gave readers information on how to find out if they are affected, than a lot.
2
@MB CapitalOne website provides information. In short, if you believe them, they will contact those affected. Credit freeze time if you don't have one already.
2
It will be interesting to see whether the same democrats who derided the $5B facebook settlement as too low will demand harsh punishments against Capital One.
Unlike Facebook's errors, the Capital One data is far more personal and far more relevant.
Just like the Mortgage bubble we will find that banks are untouchables.
@Matt. Well, Facebook deliberately sold their customers' information, to Russia, no less, among other things. From this article, it seems that Capital One's system contained a mistake that permitted the hack. So how are these similar, other than to make your point that banks are untouchable? I'm not defending Capital One; they are responsible because they weren't vigilant enough in building their architecture. But Facebook's crimes against us are in a different league.
35
Just like banks continue to get robbed-then hackers will continue to hack where there is data. Organizations will try to build better systems and hackers will try to crack them. The breaches will be less but they will still exist. Don't fool yourself into believing that a protected system is unbreakable. All systems, every single one of them has a weak spot. So long as data can get into a system someone will find a way to get it back out. This is a perfect case. A former Amazon employee who worked in their Cloud. Next week it could be a former employee who worked in IBM Cloud. Who knows-but one thing is for sure your data is waiting to be hacked- it is not if but when.
4
Why did it take this long for Capital One to discover and for Capital One and the authorities to commence prosecution of this hacking?
It should have been discovered and reported when it had been commenced.
The remediation proffered by Capital One is insufficient, and should be expanded.
14
@Quandry You clearly have no understanding of the challenges in first determining if your systems have been hacked, second in determining what has been taken to be able to accurately communicate the theft, and third being able to know how the thief got in to be able to fix the problem before announcing to the world that you have been hacked so that all the other criminals are not able to replicate the hack. You may also have law enforcement instructing you to not say anything or even allow you to repair the flaw as they try to find the hacker before they disappear.
The average person, even ones who may be involved in developing systems, have no clue as to the complexity of trying to stop hackers or having the unfortunate task of trying to find them if their systems get hacked. They were lucky this one found it necessary to brag, usually they are very close lipped about what they do.
8
@DC
They didn't configure the firewall correctly, which is not a Tier 3 (say) skill. Somebody made a mistake, presumably an honest oversight, and there was nothing in place to test the breach properly. If it was really a misconfigured firewall, then there should have been a system in place to quickly uncover the problem. But corporations put expediency and profits over people.
2
@DC Fifteen years ago @ 3 AM a CTO friend (mutual DC?) in Philly sat behind an array of monitors on his living room desk while I bit into my Wawa hoagie. Within ten minutes, after adding a few lines of code, he announced he'd secured a major bank's operations for one more business day. Wasn't Capital One.
"Secured the back door?" I inferred. That real genius of on-line security architecture responded, "What's a back door?"
His expanded list of institutional clients are today able to ensure the privacy of over $2 trillion AUM.
What's a wallet?
2
Another despicable hacker. Throw the book at her, and to Capital One...how did this happen? Why wasn't what she did online known? She certainly seems not to have hidden it. Lock her up as soon as the trial finds her guilty and please make it a long sentence. Despicable act against everyday people who just want comfort in daily living (I am sure) not nightmare.
25
Hackers beware! Just thinking about '20.
3
So, what's in your wallet? Ah, nothing, I got hacked.100 million people! That's probably every customer Capital One has. Think about that one. Carry cash, get rid of the cards.
7
I’m a CapOne cardholder and very satisfied with their services. However, any financial services company that can’t secure its data after repeated hacks should be considered for closure.
Certainly their technology people are inept as are the senior execs in charge of software, technology and security.
Who can you trust?
97
@Nick DiAmante
One question: why the heck were these data not encrypted?
7
@Nick DiAmante My bet would be that protecting customers' data was not as important as saving themselves the cost of doing so. They made a calculated decision to endanger their customers' data because their priority was their own bottom line -- which is, of course, standard thinking for corporate lemmings.
14
People like this should be treated harshly by the law; stiff jail sentences and/or heavy fines. These hackers have an exaggerated sense of themselves and consider themselves above the law and common decency.
145
@Paul Klein
Coups like this reinforce their anti-establishment and subversive ideologies. Bragging about accomplishing them boosts their "street creds" in the global but insular sphere of hackers. But to what end? Just to prove that they can outwit the law and big companies? The real victims of these crimes are the common people, who will foot the expenses for extra security and deal with the fallouts from identity thefts. Rebels without true cause. Such a shame. They could've used their tenacity and skills to benefit mankind instead.
26
I think it will be interesting to know more about her...profit doesn’t seem like her motive.
15
@Paul Klein And the subprime lenders who caused the great recession? How many of them went to jail? That bailout cost $1T. In this case there were no (known) actual damages.
27
The population of the U.S. is 327 million. On their website (linked below), they reportedly have 45 million customers.
How then, could the data of 100 million people (1/3 rd of the U.S. population) could have been breached?
Be careful with the numbers.
24
Thank you! Still, perhaps the information of former customers and rejected applicants are included in the 100 million?
10
@Omoloya. And those who started an application and never got around to finishing it.
5
Ah. Here's the quote from the article: "On June 27, she also listed 'several companies, government entities and educational institutions,' according to court papers, which investigators interpreted to be other hacks she “may have committed.”"
Good morning, Everyone!
14
I’m glad I discard the Capital One come-ons that constantly arrive in my snail-mail box. Perhaps those will stop now, and they can apply the resources toward better cyber-security.
What’s in my wallet? Not Capital One!
179
@Ralph Averill
And what makes you think any other issuers - be it a bank, a store or another credit card company - isn't as vulnerable as Capital One?
You're gloating is no substitute for constant vigilance.
37
@Ralph Averill Capital One is shameless with it's constant mailing of credit applications to low income customers and college students.
On top of that, see if you can find - anywhere in the light grey fine print - an option to strike a name and address from their mailing list. It's not there. The Federal Trade Commission should be fining the bank thousands of dollars for each and every application the bank mails out.
13