Cap One Employees Warned Of Security Issues Pre-Hack

Capital One employees raised red flags over security risks before the company suffered a massive data breach.

According to a report in The Wall Street Journal, sources said that employees sent a warning to Capital One about high turnover in its cybersecurity unit as well as the failure to install some software to help spot and defend against hacks.

The sources pointed out that about one-third of its employees left in 2018.

“Safeguarding information is essential to our mission and to our role as a financial institution. We’ve invested heavily in cybersecurity and will continue to do so,” said a bank spokeswoman.

She added that the cybersecurity unit’s total head count has risen over the past several years, explaining that “the Cyber Team is a net importer of talent within Capital One.”

About five years ago, the company started moving its data to the cloud. The alleged hacker, Paige Thompson, was a former employee of Amazon Web Services, which hosted the Capital One database that was breached.

“We will incorporate the learnings of this incident to further strengthen our cyber defense,” the bank spokeswoman said.

Seattle-based Thompson was charged with one count of computer fraud and abuse following her arrest on July 30. The F.B.I. noticed her activity on a Meetup she organizes called Seattle Warez Kiddies, which is for people into “hacking, cracking.”  Court documents filed with Seattle’s District Court state that Thompson appeared to brag about the information she had accessed related to Capital One. The documents said Thompson accessed the data through a “misconfiguration” of a firewall on a web application.

The breach impacts about 100 million individuals in the United States and around 6 million in Canada. Capital One stressed that credit card account numbers and login credentials were not compromised, while more than 99 percent of Social Security numbers were not impacted.

“Although some of the information in those applications (such as Social Security numbers) has been tokenized or encrypted, other information including applicants’ names, addresses, dates of birth and information regarding their credit history has not been tokenized,” the FBI complaint said, and the bank told the bureau that the data includes “likely tens of millions of applications and approximately 77,000 bank account numbers.”

The hack is expected to cost the company between $100 million and $150 million in the near term.