On July 29, Capital One announced more than 100 million individuals in the US and Canada were affected by a data breach. According to Capital One, ‘the information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, post codes, phone numbers, email addresses, dates of birth, and self-reported income’.
What we know is largely based on our review of a federal criminal complaint filed against the alleged hacker known as ‘Erratic’. According to the complaint, Erratic is alleged to have broken into a Capital One server running on Amazon Web Services (‘AWS’) because of a firewall misconfiguration. As a result, the hacker obtained privileges to further access and exfiltrate data.
Fortunately, Capital One was alerted to the breach when they were notified that the alleged hacker posted the exfiltrated data on Github. At the same time, she had been bragging about her exploits on social media, describing in sufficient detail how she accessed and exfiltrated the data.