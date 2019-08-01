This July 22, 2019, photo shows Capital One mail in North Andover, Mass. A security breach at Capital One Financial, one of the nation’s largest issuers of credit cards, compromised the personal information of about 106 million people, and in some cases the hacker obtained Social Security and bank account numbers. It is among the largest security breaches of a major U.S. financial institution on record. The bank’s stock dipped 6% at the opening of trading Tuesday, July 30. (AP Photo/Elise Amendola)

FAYETTEVILLE, Ark. (KNWA) — An Arkansas native breached Capital One and exposed the confidential information of 106 million people, and she did so in pretty simple fashion, a University of Arkansas professor said.

“The way it was accomplished, in our field, is considered relatively simple,” said Dale R. Thompson, associate professor of computer science and computer engineering at the U of A. “I know it’s shocking to most people; I view it as there was a problem. You immediately address the problem as fast as you can and try to mitigate any future problems and try to learn from it. Attacks like this… that one was relatively simple but not unheard of.”

Paige A. Thompson, aka “erratic,” stands accused of intentionally accessing a computer containing Capital One information without authorization and then obtaining information “contained in a financial record of a financial institution and of a card issuer,” according to U.S. District Court documents.

Paige Thompson, who was arrested by FBI agents on July 29, was outspoken about breaching Capital One.

Paige Thompson (photo from Twitter) and the U.S. District Court document stating the Capital One data breach she is accused of committing.

“Moreover, Paige A. Thompson also has made statements on social media fora evidencing the fact that she has information of Capital One, and that she recognizes that she has acted illegally,” court documents states.

Paige Thompson, who lived in Arkansas as a child, is believed to have committed the breach on March 22 and 23, and Capital One determined on July 19 that the breach had occurred, according to a data breach announcement on the Capital One website.

The Capital One website states that the breach affected 100 million people in the United States and 6 million people in Canada.

“Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were compromised,” the announcement states.

However, 140,000 Social Security numbers of credit card customers and 80,000 linked bank accounts of secured credit card customers were compromised. Also, 1 million Social Insurance Numbers in Canada were compromised.

The breach also exposed a wealth of other personal information that Capital One routinely collects when it receives credit card information, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income, according to the announcement.

The announcement states that Capital One “immediately” fixed the configuration vulnerability Paige Thompson is accused of exploiting and “promptly” began working with federal law enforcement.

“Safeguarding our customers’ information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses,” the announcement states.

Paige Thompson is believed to have exploited a specific configuration vulnerability in Capital One’s infrastructure, according to the announcement.

Paige Thompson’s tweets from her “ERRATic” Twitter account describing how she breached Capital One.

Paige Thompson is a former Amazon employee. She described on her “ERRATiC” Twitter account how she found large stores of data that were supposed to be secured on Amazon.

“She had insider access and knowledge of how the system worked and where the files were stored,” Dale Thompson said. “Having this information and finding a vulnerability in the website, she was able to extract the data. She had worked with this data before. So this wasn’t unfamiliar to her.”

Insider access is a major concern for companies that store massive amounts of data, according to Dale Thompson.

“There’s a whole field of security based on insider threats because they do pose such a risk,” he said. “People have to have a lot of knowledge about the system to do their job, and they don’t always stay or become disgruntled. [These companies] worry about that the most; it’s a really hard thing. [Employees] have to have the information to do their job, but how do you restrict it or monitor it when they leave?”

The Capital One breach is on the same magnitude level as the Equifax breach that occurred in 2017 and exposed the personal information of 147 million people. Equifax recently agreed to a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau and 50 U.S. states and territories. The settlement includes up to $425 million to help people affected by the data breach, according to the Federal Trade Commission website.

“It seems like the Equifax breach was a long period of time and [the culprits] were slowly extracting the data to avoid detection,” Dale Thompson said. “It sounded like maybe [Paige Thompson] was disgruntled and maybe trying to draw attention to themself on purpose. One rogue insider is not good, but detectable.”

Once personal information has been compromised, it’s forever exposed, Dale Thompson said.

“I think certain people who are more affected than others will close accounts and reopen accounts,” Dale Thompson said. “Maybe they’ll force people to change their passwords, set new pin numbers.”

It’s especially concerning that Social Security numbers were exposed.

“Originally, Social Security numbers were supposed to be used as an identifier, now as a society we’ve turned it into something that hinges our finances and everything we do,” Dale Thompson said.

There are three key ways people can protect their personal information.

“Once a year you can get a copy of your credit report from the three major credit bureaus and look to make sure that all accounts open in your name were initiated by you, something that you set up and you asked for,” Dale Thompson said. “And then the other thing you can do, you can put a freeze on your accounts so that people can’t do credit checks on you before they set up an account in your name. [You’ll be notified] when somebody is trying to do a credit check on you, and you can give permission that the credit check can go through. Also, you can subscribe to services that update you when there are changes to your credit account. Capital One is going to most likely offer one of those services to victims of this. Those three things will help quite a bit.”