[BreachExchange] Capital One notifies more clients of SSNs exposed in 2019 data breach

Wed Apr 7 10:25:32 EDT 2021

https://www.bleepingcomputer.com/news/security/capital-one-notifies-more-clients-of-ssns-exposed-in-2019-data-breach/

US bank Capital One notified additional customers that their Social
Security numbers were exposed in a data breach announced in July 2019.

The day the breach was disclosed, the Department of Justice arrested
and indicted the suspected hacker, former Amazon Web Services (AWS)
employee Paige Thompson, who posted about stealing data on GitHub
after infiltrating Capital One's AWS cloud servers.

Thompson allegedly stole over 100 million people's personal
information, including names, email addresses, dates of birth,
transaction data, credit scores, payment history, balances, and for
some, linked bank accounts and social security numbers.

The suspect also gained access to roughly 140,000 Social Security
numbers and around 80,000 linked bank account numbers of credit card
customers. Thompson also used the compromised servers to mine for
cryptocurrency, according to the indictment.

Capital One was not the only organization hacked by the attacker, with
media reporting that the list of breached companies might also include
Vodafone, Ford, Unicredit, the Ohio Department of Transportation, and
Michigan State University.

New exposed customer information discovered

While the breach notification letters might seem out of place almost
two years after the incident, they were prompted by new findings while
analyzing data stolen during the 2019 security breach.

However, after re-analyzing the stolen data using new tools, the bank
discovered that the hacker did gain access and stole some of its
customers' SSNs.

"Immediately after the 2019 data security incident, we conducted an
analysis with the assistance of an external third-party expert to
determine what information was accessed by the unauthorized
individual," Capital One said. "At that time, we did not identify you
as one of the individuals whose Social Security number was part of the
accessed data."

"Recently, Capital One re-examined the files that were impacted by the
2019 data security incident using new and more advanced tools. As part
of this analysis, we determined that your Social Security number was
among the data to which the unauthorized individual gained access."

According to Capital One, the bank notified customers of this
additional exposed personal information even though there is no
evidence that it was disseminated or used for fraud.

Fines and estimated losses

Capital One said that the incident is expected to generate costs of
$100 to $150 million due to customer notifications, free credit
monitoring services, security improvement costs, and legal fees.

However, the bank also added that it had cybersecurity insurance that
will cover up to $400 million with a $10 million deductible.

Last year, Capital One was fined $80 million by the Office of the
Comptroller of the Currency (OCC), the US banking regulator, for its
failure to protect its customers' personal and financial information.

"The OCC took these actions based on the bank's failure to establish
effective risk assessment processes prior to migrating significant
information technology operations to the public cloud environment and
the bank's failure to correct the deficiencies in a timely manner,"
OCC said.