Cybersecurity Threat Advisory 0041-19: Capital One Data Breach Disclosure
On Monday June 29, 2019, Capital One (a financial services company that handles credit cards for their own brand and many 3rd-Party brands) publicly disclosed a significant data breach exposing personally identifiable information for millions of their customers. The breach, which took place in March 2019, was identified by an anonymous source who notified Capital One on July 19, 2019. Capital One then engaged the FBI who began an investigation and arrested the individual believed to be responsible.
The exposure includes social security numbers, social insurance numbers (Canada), linked bank account numbers, and various other credit card application data including email addresses, names, addresses, and dates of birth along with income information. Much of the information was accessed from credit card applications submitted from 2005 through 2019. Capital One released a statement informing the public that they will notify affected customers and make free credit monitoring and identity protection available to those individuals.
Why this is noteworthy:
The magnitude of this breach with personally identifiable information was significant and impacts citizens of both United States and Canada. The individual believed to be responsible for the breach posted the information through multiple public and private outlets including GitHub, Slack, and other social media platforms; though law enforcement has not released the reasons for this widespread dispersal. As the information was posted to highly public channels, a larger-than-usual number of potential threat actors has direct access to this data than has been seen in other breaches of this type and scale.
What is the exposure or risk?
While the full scope of the breach has not yet been validated, below is some key information which Capital One has published in a formal statement:
• Approximately 100 million individuals in the United States affected.
• Approximately 6 million individuals in Canada affected.
• Information collected from credit card applications filed from 2005 to 2019.
Compromised information includes:
• Approximately 140,000 social security numbers.
• Approximately 80,000 linked bank accounts of secured credit card customers.
• Approximately 1,000,000 social insurance numbers of Canadian customers.
• Customer names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
• Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
• Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
What are the recommendations?
Steps for Individuals:
• Obtain an updated credit report to review for potential unauthorized activity or accounts.
• Closely examine bank and credit card statements for any unauthorized purchases or transfers
• Be alert to targeted phishing and voice phishing attempts
• Freeze your credit as a potential option which will require you to manually unlock your credit for each new account(s) that may need to be established.
• Subscribe to credit monitoring and identity protection platforms.
Steps for Businesses:
• Review your System and Network Configurations to identify potential security gaps. This includes on-premises and any Cloud based IaaS including AWS, Azure and other shared Cloud offerings.
• Conduct a pen-test to help validate your configurations.
• Enable Cybersecurity Monitoring to identify threat traffic from TOR networks. SKOUT currently alerts on TOR network activity identified within our customers.
• Regularly review Threat Intelligence to monitor any information disclosures, credential leaks and similar activities. SKOUT SONAR provides Dark Web and Clear Web Monitoring as an additional service to our customers.
Technical details and additional information:
A misconfiguration on a web application firewall (WAF) in Capital One’s AWS instance apparently allowed a malicious actor to gain access to and extract sensitive information from multiple data buckets. The malicious actor was reported to have used a VPN service (IPredator) with a TOR browser to proxy and execute commands to exfiltrate data through Capital One’s Web Application Firewall. Capital One has since patched the vulnerability in the configuration however they have yet to release details as to what the specific vulnerability exploited.
For more in-depth information about the recommendations, please visit the following link:
If you have any questions, please contact our Security Operations Center.
Important note: Much of the information published thus far has not been validated and is subject to change as forensic analysis/investigation into the scope of the breach is conducted.
Find Trouble Before Trouble Finds You.
Security Operations Center