top of page

Capital One Breach: When trusted third parties go rogue

Credit - Johannes Eisele/AFP/Getty Images

News of the Capital One breach should have come as more of a shock that it did but, unfortunately, as the headlines grow in frequency, we seem to take them with a pinch of salt.

We seem to have become so desensitised to such huge numbers, after the last 18 months, which have seen a succession of huge breaches including Twitter, MyFitnessPal, Quora, Marriott Hotels and Equifax.

More than 100 million Americans and 6 million Canadians were affected by the latest breach which saw their names, addresses, phone numbers, email addresses, date of birth and self-reported incomes exposed.


The big shock was the company involved – Capital One – because, on paper, they are one of the good guys.

They pride themselves in their cybersecurity processes and have always been a real innovator in cloud security. So, the key takeaway from this latest incident is the fact that it can quite literally happen to anyone, however hard you work to ensure it won't.

According to Capital One, the breach on March 22 and 23, 2019, resulted in the hacker gaining access to personal information related to credit card applications from 2005 to early 2019 for consumers, applicants and small businesses.

It is believed that the problem stemmed from a misconfigured open-source Web Application Firewall (WAF) that Capital One was using as part of its operations, hosted in the cloud with Amazon Web Services (AWS).

Unfortunately, the situation arose because it's virtually impossible for any company to be able to do everything themselves and no matter how "trusted and verified" the third parties are that you work with there will always be an element of risk.

When we hear the term to describe an organisation or see the stamp on a website, we naturally think that someone is credible and legitimate, and it creates a level of trust.

We all strive to be verified in so many areas of the online world, just ask anyone who is still chasing the holy grail of a blue tick on Instagram!

In all seriousness though, if someone is "trusted and verified" it begs the question about what more can be done to prevent these type of things from happening. After all, it only takes one person to break the trust and go rogue.

Capital One reacted as quickly as they could when they were alerted to the posts on GitHub and just two days later an internal investigation confirmed there had been an intrusion.

They contacted the FBI, who quickly identified the culprit as Paige Thompson, not difficult as she bragged about the attack on social media and left her CV in the GitHub where the database was dumped. On July 29th she was arrested for "charging computer fraud and abuse for an intrusion on the stored data”.

It's worth noting that computer fraud and abuse in the US is punishable by up to five years in prison and a $250,000 fine, so it makes you wonder why she posted the details of her theft in the first place.

In a memorandum, filed ahead of a detention hearing , the U.S Attorney’s Office in Seattle said servers found in Thompson’s bedroom contained data stolen from more than 30 unnamed companies and educational institutions.

Since the breach was announced, both Capital One and GitHub have also been sued as part of a class-action lawsuit filed in California on allegations of failing to secure or prevent a security breach.

While Capital One is named in the lawsuit because it was its data that the hacker stole, GitHub was also included because the hacker posted details about the hack on the code-sharing site.


  • The information was taken from credit card applications submitted to the Virginia-based bank from 2005 to 2019. These included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income.

  • Additionally, Capital One said that 140,000 Social Security and 80,000 linked bank account numbers were compromised as well as fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.

  • No credit card account numbers or log-in credentials were exposed.

  • Individuals whose information was compromised in the breach will be notified by Capital One.

152 views0 comments


bottom of page