Data Breach Hits Virginia-Based Capital One Bank
DAVID GREENE, HOST:
Capital One is dealing with one of the largest ever data breaches to hit a major bank. The Virginia-based company says this breach has affected more than 100 million people in the United States and also in Canada. Capital One says a hacker got access to names, addresses, credit scores and in some cases also Social Security numbers and bank accounts. They were all compromised. Investigators say a Seattle woman is behind this massive hack. And before we go on, we do want to note that Capital One is an NPR funder.
So let's get to what happened here. Reporter Devlin Barrett of The Washington Post has been covering this. He's in our studio this morning. Devlin, good morning.
DEVLIN BARRETT: Good morning.
GREENE: So what exactly was stolen here? Because it sounds like the 100 million number applies to a lot of stuff, but then there's a smaller number who might have lost some really important stuff.
BARRETT: Right. So the 100 million is the number of credit card applications that were accessed by this hacker, allegedly. And so within that very huge group, there's a smaller group of tens of thousands of folks who actually had their Social Security numbers taken and their bank account numbers taken.
GREENE: So that's more serious. But even for all the other people who had their credit card applications stolen, I mean, there's got to be some sensitive stuff on those things, right?
BARRETT: Right. I mean, think about if you remember what goes into a credit card application - that's your address; that's your date of birth; that's, you know, some of your credit-related information. So it's certainly valuable information to identity thieves. So it's not - you know, it's not nothing, by any stretch.
GREENE: So if you're a Capital One customer, I mean, what advice are people getting now in terms of how serious this is and whether they need to do anything to make sure their, you know, identities aren't stolen?
BARRETT: So the company's CEO has already apologized to its customers, which is always, you know, a tough thing for a CEO to have to do. But in this case they're offering credit monitoring, and they're trying to reassure customers that, you know, they think they have a handle on this, and they think that for most of their - most of the folks whose information was stolen, they think this is manageable, and they don't think - you know, what they're trying to reassure everyone is, you know, from the vast majority, 99% of these folks, your Social Security numbers weren't taken.
GREENE: So the FBI has already arrested someone, which is - I mean, seems pretty fast. What do we know about her and how she pulled this off?
BARRETT: Yeah, it's a lightning fast case in terms of hack to arrest when you compare them to other large hacking cases. And what seems to have happened, according to court papers, is that she seems to have bragged, basically, in an online chat group about having taken these files.
GREENE: She went online in a public forum and said, hey, guess what I just did?
BARRETT: She did. And someone actually responded to her, you know, essentially, please don't go to jail, because it was very clear to some people in the conversation, well, that - what you're describing sounds an awful lot like a crime. And one of the people in that group alerted Capital One to this in mid-July. And what you saw was basically a two-week scramble by both the company and the FBI that led to her door.
GREENE: That's amazing. OK, so Capital One is apologizing. Are they saying anything more about why this happened, what they could have done better, how to prevent this in the future?
BARRETT: So what seems to have happened, according to investigators, is there seems to have been a flaw in a firewall, and there - she seems to have, because of her past job, some understanding of the way that Capital One stores their data on the cloud. Obviously, you can pay other companies to store your data. And that gave her a notion as to how to get this data. And obviously, Capital One has said they fixed the vulnerability, and that's an important part of this.
But also it raises some questions - right? - as to the security of cloud computing, the security of - you know, this isn't even one of their former employees; this is a former employee of a company they hired to store their data. So, you know, security is hard sometimes, and this seems to have been a significant gap.
GREENE: Security hard - not just to Capital One. I mean, this is just the latest example of U.S. consumers having their information stolen. Is there any sense that our data is more - is safer than it was a year ago or two years ago?
BARRETT: I wouldn't say the data is safer. I think, you know, as a general rule, these cases are huge, and they do have massive consequences for the companies involved. Equifax just announced a $700 million settlement with the government over a similar issue of breaches and taking customer data. I don't think we've seen the last of this. I think the challenge is, how do you get better at it when there's so much data in so many places?
GREENE: Devlin Barrett reports for The Washington Post. Devlin, thanks so much.
BARRETT: Thank you. Transcript provided by NPR, Copyright NPR.