Capital One learned of massive data breach from email tip

asdfAn email on July 17 informing Capital One that its data seemed to have been breached. Some information was redacted by the Department of Justice.Justice Department

• Capital One's data was breached sometime between March and July, and 106 million people had some combination of their IDs, Social Security numbers, and bank-account information compromised.
• The bank didn't know about the hack until a member of the public emailed it to say the person found the data dumped on GitHub, a popular site among web developers, the Department of Justice said.
• The company reported the breach to the FBI two days later.
• Tips like this are a common way for companies to find out about security breaches.
• The DOJ has charged a former software engineer with hacking Capital One's security systems, accusing her of taking the data and then posting it online.
• Visit Business Insider's homepage for more stories.

Capital One was made aware of its enormous data breach by someone who emailed the company after seeing the information freely available online.

The American bank announced Monday that it had been breached, affecting some 106 million people in the US and Canada. Many of those people had Social Security numbers, linked bank accounts, and other personal information compromised.

Read more: Capital One says it was hit with data breach, affecting tens of millions of credit card applications

The Department of Justice has arrested Paige A. Thompson, a former software engineer, and charged her with a single count of computer fraud and abuse.

The DOJ said the breach took place sometime between March and July.

A criminal complaint accuses her of stealing data from Capital One's cloud provider and posting details of it on GitHub, a project-managing site popular among developers.

A Capital One ATM.Roman Tiraspolsky/Shutterstock

The complaint also includes the detail that Capital One didn't realize it had been hacked until someone tipped it off.

According to the DOJ, an unidentified person emailed the bank on July 17 saying: "There appears to be some leaked s3 data of yours in someone's github/gist."

"S3" refers to Amazon Web Services' cloud-storage product for developers, which Capital One used to store the data that was breached.

According to the complaint, Capital One contacted the DOJ two days later, on July 19, to report the breach.

Read more: Amazon's cloud was at the heart of the big Capital One hack, even though it doesn't seem to be at fault

The GitHub file in question, which contained Capital One's data, was timestamped April 21 and was linked to Thompson's name.

You can see a screenshot of the tipster's email above. The person's name and other identifying information were redacted in the DOJ's complaint, published Monday.

A Capital One bank branch.REUTERS/ Brendan McDermid

It is common for companies to find out about data breaches in this manner.

Capital One has an email address through which people can flag suspected vulnerabilities in its systems. Many other banks have channels like this.

Some of the people who email the hotline are "white hat" or "ethical" hackers, experts in computer security who report security vulnerabilities to their owners rather than try to exploit them.

It's not clear whether the person who emailed Capital One was a white-hat hacker or somebody who chanced upon Thompson's GitHub file.

Thompson is due to appear in court on Thursday. If convicted, she faces up to five years in prison and a $250,000 fine.

Comments are closed.