Capital One, the fifth-biggest U.S. credit-card issuer, announced this week it was the victim of one of the worst data breaches at a bank. The intrusion involved information on 106 million U.S. and Canadian credit-card customers and applicants. Capital One responded fairly quickly and, uncommonly, was able to communicate that the culprit had been caught.

A Good Samaritan GitHub user alerted the bank July 17 that the pilfered data could be accessed on that hosting site. Capital One, based in McLean, Virginia, confirmed the intrusion July 19 and issued a press release July 29. The breach occurred in March; the vulnerability was the misconfiguration of a firewall, which Capital One said it “immediately fixed.”

In its press release, the bank tried to downplay the types of data taken, though the list was not reassuring. It included addresses, phone numbers, birthdays, credit scores, and Social Security numbers (some of this data was encrypted or “tokened”).

Capital One said it didn’t believe any information was disseminated or used for fraud. It said it would offer the typical post-breach services, such as free credit monitoring and identity protection. It set up informational sites for both United States and Canadian customers and applicants. (There have been complaints that Capital One has not yet individually notified people or provided a way to check whether they’re victims.)

The company promised to do better. “Safeguarding our customers’ information is essential to our mission and our role as a financial institution,” according to the statement. “We have invested heavily in cybersecurity and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses.”

‘Making It Right’

CEO Richard D. Fairbank effused apologies. “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” he said in the statement. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Typically a data-breach victim announces the incident without knowing the culprit’s identity. Capital One played up high in its press release that the hacker, Paige A. Thompson, had been nabbed. “Perpetrator Arrested by Federal Law Enforcement,” read the deck.

Amazon Web Services, which hosted Capital One’s data, also put out a statement — denying any responsibility. “AWS was not compromised in any way and functioned as designed,” it said. “The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure.”

In its press release on the arrest, the U.S. Attorney’s office for the Western District of Washington said 33-year-old Seattle resident Thompson, who uses the alias “erratic,” appeared in court in Seattle and was ordered detained. Thompson is reportedly a software engineer and an ex-employee of Amazon Web Services (which Amazon didn’t mention in its own press release).

“Capital One quickly alerted law enforcement to the data theft — allowing the FBI to trace the intrusion,” U.S. Attorney Brian T. Moran said in his office’s statement. Catching the alleged perpetrator was helped by Thompson allegedly boasting about her handiwork on social media.

Capital One said it expects the breach to cost upwards of $150 million. Fortunately, it has cyber insurance. As should all crisis planners.

Photo Credit: David Cardinez/Shutterstock

This is an abridged version of an article that appeared today on the CrisisResponsePro paid subscription portal. (CrisisResponsePro subscribers can access the full version by clicking here. ID and password are required.) To take advantage of all of the content, data, and collaborative resources CrisisResponsePro has to offer, contact us at (800) 497-1737, signup@crisisresponsepro.com, or crisisresponsepro.com/signup.