News(FYI): Capital One data breach: Arrest after details of 106 million people stolen (US & Canada)

[Arcadia]

BBC Money article  https://www.bbc.com/news/world-us-canada-49159859

“The US justice department has confirmed it has arrested a former Seattle technology company software engineer in connection with the breach. 

Ms Thompson, 33, was arrested on Monday on charges of computer fraud and abuse. She made an initial appearance in federal court in Seattle. 

A hearing has been scheduled for 1 August. 

Court documents claim she boasted about the data breach on an online forum. 

A statement by the US attorney's office in Washington said: "On July 17 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft."

Ms Thompson faces a maximum sentence of five years in prison and a $250,000 (£204,713) fine.”

Capital One press release link http://press.capitalone.com/phoenix.zhtml?c=251626&p=irol-newsArticle&ID=2405043

“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including: 

• Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information 
• Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

No bank account numbers or Social Security numbers were compromised, other than:

• About 140,000 Social Security numbers of our credit card customers 
• About 80,000 linked bank account numbers of our secured credit card customers

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.

We will notify affected individuals through a variety of channels. We will make free credit monitoring and identity protection available to everyone affected.”

[PrincessMommy]

13 minutes ago, Arcadia said:

BBC Money article  https://www.bbc.com/news/world-us-canada-49159859

“The US justice department has confirmed it has arrested a former Seattle technology company software engineer in connection with the breach. 

Ms Thompson, 33, was arrested on Monday on charges of computer fraud and abuse. She made an initial appearance in federal court in Seattle. 

A hearing has been scheduled for 1 August. 

Court documents claim she boasted about the data breach on an online forum. 

A statement by the US attorney's office in Washington said: "On July 17 2019, a GitHub user who saw the post alerted Capital One to the possibility it had suffered a data theft."

Ms Thompson faces a maximum sentence of five years in prison and a $250,000 (£204,713) fine.”

Capital One press release link http://press.capitalone.com/phoenix.zhtml?c=251626&p=irol-newsArticle&ID=2405043

“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including: 

• Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information 
• Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

No bank account numbers or Social Security numbers were compromised, other than:

• About 140,000 Social Security numbers of our credit card customers 
• About 80,000 linked bank account numbers of our secured credit card customers

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.

We will notify affected individuals through a variety of channels. We will make free credit monitoring and identity protection available to everyone affected.”

The double-speak on the bolded is astounding.  

I'm a customer and very angry.    This is not the first company to have a data breach on their credit card customers.  Makes me wonder if there's an alternative - esp. for online shopping where you can't pay cash.  

[ashfern]

Seriously!

[Katy]

Wait a minute.  Did this woman post it on GitHub?  What did they have to do with it?

[Arcadia]

3 minutes ago, Katy said:

Wait a minute.  Did this woman post it on GitHub?  What did they have to do with it?

 

From Business Insider: The woman charged with stealing 100 million people's data clued in the FBI with bizarre boasts on Twitter, GitHub, and Slack https://www.businessinsider.com/capital-one-bank-data-suspected-hacker-boasted-online-2019-7

“An FBI special agent named Joel Martini detailed in the complaint against Thompson how he pieced together her identity from a series of online boasts. 

Capital One was first alerted to the breach by a tip submitted to its security-disclosure email address. "There appears to be some leaked s3 data of yours in someone's github / gist," the tip said, providing a link. 

Martini found Thompson's full name on GitHub, the coding-collaboration service. He also found a link to a GitLab page containing a résumé describing Thompson as a "systems engineer" who had worked for Amazon AWS from 2015 to 2016. 

Martini then determined that Thompson had set up a Meetup group with the online alias "erratic." 

Meetup is a social-media site where people join groups based on their interests. The Meetup group contained a code to join a Slack channel, where someone with the username "erratic" had boasted about the hack, prompting concern from one other user who wrote "don't go to jail plz”

Martini linked the Slack account to Thompson's real-life identity after she posted a veterinary bill about a pet that listed her name and address, the complaint said. While the filing didn't specify which pet, The New York Times found Thompson had posted on Meetupabout taking her cat to the vet, which is corroborated by pictures posted on Twitter. 

Martini was also able to find a Twitter account under the name "Erratic." The tipster provided Capital One with a screenshot of Twitter direct messages from this account in which the user says: "Ive basically strapped myself with a bomb vest, fucking dropping capitol ones dox and admitting it." 

After amassing this evidence, Martini obtained a warrant to search Thompson's home. Agents seized "numerous digital devices" and found files on them that referred to Capital One. 

Thompson was subsequently charged with computer fraud and abuse, punishable by as much as five years in prison and a $250,000 fine.”

[PrincessMommy]

5 hours ago, happysmileylady said:

We don't have credit cards.  For online shopping, we use our debit cards, OR, buy gift cards.  It's not uncommon for me to take my cash, buy an amazon card at Meijer, and then use that online.  

I also use gift cards at the pump.  Every month, I put my gas money on a Costco card and use that to get gas at the pump.  I usually keep like $5 or $10 in cash in my van just in case I need to get gas elsewhere, but Costco is right by my house.  Before we moved here, I used a Speedway card, again, right by the house.  

 

But there's of course NO 100% risk free way of doing business.  Regardless of whether you use cash, checks or cards, your money is always at risk.  

I would not use debit cards.  My sis does that and she's had the number stolen multiple times.  I like the idea of buying gift cards  👍

[mumto2]

We use prepaid debit cards that are not connected to our bank accounts  Everyone in the family has one and dh looks at the balance frequently and adds money as needed.  The kids carry about $20 but they text him and He can add quickly.  I keep a running total in my head and know when I will need money.  One got hacked earlier this year but it was far easier than having my credit card hacked because the exposure small and only the hacked debit card was affected so we still had three good cards between us.  When my credit card was hacked it had huge repercussions because it was the family travel card because of free insurance and we needed to travel.  We were reimbursed both times.......They actually made us pay the hacked amount and refunded us later which made us angry.

[PrincessMommy]

I do have a question:

Even if I cut up all my cards and close my accounts, isn't it too late?  Isn't all my data already out there?  Wouldn't Capital One and others keep that information on file records somewhere?

[TravelingChris]

3 hours ago, PrincessMommy said:

I do have a question:

Even if I cut up all my cards and close my accounts, isn't it too late?  Isn't all my data already out there?  Wouldn't Capital One and others keep that information on file records somewhere?

Yes, it is too late if your data is out there,  And note that SSN numbers were what was primarily stolen which has nothing to do with any card.  Capitol One will be notifying people whose credit card was hacked.  It doesn't seem that any account numbers or debit cards were hacked in this one.

[Pawz4me]

It may still depend on what state you're in, but in ours it's very easy to freeze your credit. I did all four of ours a couple of years ago (or after the Equifax breach, whenever that was). It took me maybe thirty minutes to do all four. We did unfreeze DS23's when he got his first solo apartment, and that was easy to do, too. The rest of us have had no need to unfreeze. I very recently got proof that the freeze works, and I am going to have to jump through a small hoop to do something I need to do (that doesn't even involve credit) because the freeze is in place. But it's well worth the one time small hoop jumping for the peace of mind, especially since I'm a Capital One customer, and DH's info was involved in the Equifax breach.