What to know about the ‘extremely unusual’ Capital One hack

The FBI has already arrested a suspect.

Between major breaches like ones from Equifax and Marriott, you could be forgiven for having data-theft fatigue. It’s that world-weary feeling of knowing that once again, the personal information of millions has been compromised.

But the news about one how one hacker managed to nab information relating to around 100 million people from Capital One is not just concerning. It’s unusual.

Here’s what you should know about the incident, which involves Paige A. Thompson, the hacker Capital One describes as a “highly sophisticated individual.” She has already been arrested by the FBI.

Who was affected by the Capital One personal data breach?

Capital One says that in the United States, 100 million people were affected. In Canada, that number is 6 million. Most of the information comes from people or businesses who applied for credit cards. That contains the kind of information you might expect to see on a credit card application—data like names, birthdays, and phone numbers. The hacker also allegedly obtained some credit card information, like credit scores.

The most serious information that Thompson allegedly acquired: the social security numbers of some 140,000 credit card customers. While that’s a small percentage of the 100 million or so people affected, a leaked social security number is always a big deal.

In Canada, some 80,000 bank account numbers and 1 million social insurance numbers were also compromised.

So what happened to the stolen information?

Capital One says that they “believe it is unlikely that the information was used for fraud or disseminated by this individual.” If true, that’s a very good thing. In other hacks, bad actors distribute stolen credentials like usernames and passwords, and then cybercriminals use them to try to log onto other sites in a tactic called credential stuffing. (In this case, the hack did not include that kind of information, according to Capital One.)

How do I check to see if I was affected by the Capital One data breach?

Capital One says that they will let people know if their information was involved in the hack via “a variety of channels.” The bank did not reply to requests for further information on how people may find out if their data was swept up in the breach. Capital One also notes that most of the leaked information pertains to applications for “credit card products” between 2005 and this year.

How did this all happen?

According to both Capital One and this criminal complaint filed by the U.S. Attorney’s Office in Washington state, the suspect, Paige Thompson, acquired the data by hacking into Amazon Web Services, or AWS.

Capital One learned about this after receiving an email on July 17 tipping them off. That email is reproduced on page 5 of the criminal complaint and references “s3 data.” S3, or Amazon Simple Storage Service is, as its name implies, a data storage service that’s part of AWS. The whistleblower who pinged Capital One about the data noticed that the hacker, allegedly Thompson, posted a description of the stolen information on a service called Github.

Thompson allegedly hacked her way in due to a weakness in the firewall configuration, according to the complaint.

Update on August 1: Amazon says that Thompson used to work for AWS, but was not employed by the company at the time of the hack, and hadn’t been for around three years. Amazon also notes that the hack was enabled because of a misconfigured firewall that was not part of AWS itself. Additionally, a representative for Capital One notes via email that the information that the hacker posted on GitHub was lists of the stolen data, not the actual data.

What makes this cybersecurity incident so peculiar?

“It’s extremely unusual,” says Shuman Ghosemajumder, the CTO of cybersecurity company Shape Security. There are several reasons: for one, the suspect appears to have been working alone, and it’s unclear what her goal was. Based on publicly available information, Ghosemajumder observes that this “individual didn’t even have a very clear motive in terms of how she was going to monetize this.”

Another factor that makes this incident atypical is that Capital One’s announcement of the breach coincided with the news that the perpetrator had already been arrested. “Usually what happens is that there is a long period of time where forensic analysis is required to create any kind of hope of attribution, and in a lot of cases they can never identify who the individuals or organizations behind a particular data breach were,” Ghosemajumder says.

This hack also appears to have originated within the U.S., which made the sleuthing work undertaken by the Justice Department—specifically FBI Special Agent Joel Martini—easier than if the hacker were overseas.

Incidents like this one, Ghosemajumder adds, make for “a powerful deterrent for U.S.-based persons to not engage in criminal activity.”

This article was updated on August 1 in response to further information from Amazon and Capital One. It was originally published on July 30.

Rob Verger

Rob Vergeris an associate editor at PopSci, where he covers aviation, the military, transportation, outdoor gear and gadgets, and other tech topics. A graduate of Columbia Journalism School, he's also written for The Boston Globe, Newsweek, The Daily Beast, CJR, VICE News, and other publications. Contact the author here.