
Capital One Says Breach Hit 100M Individuals in U.S - pseudolus
https://www.bloomberg.com/news/articles/2019-07-29/capital-one-data-systems-breached-by-seattle-woman-u-s-says
======
joekrill
The way they are disclosing this is pretty disgusting, in my opinion. Go check
out their info page about this[1]. In bold it says:

> No bank account numbers or Social Security numbers were compromised, other
> than:

Then below that, in non-bold, it basically says "oh, except for these 140,000
social security numbers and 80,000 bank account numbers" \- which is the
_primary reason_ folks are worried about this!

To me, the first thing you are going to see is "No bank account numbers or
Social Security numbers were compromised" in bold letters. Which is completely
false and misleading. _Technically_ they are telling the truth, but the way
they've done it is clearly meant to be misleading.

On top of that, I'm a Capital One customer myself, and I can't figure out how
to find out if I was affected at all!

[1]
[https://www.capitalone.com/facts2019/](https://www.capitalone.com/facts2019/)

~~~
kyrra
But the those 140k and 80k number are their own bullet points that I feel make
them stand out more then the bold line. I feel like this is clear enough.

~~~
joekrill
This is obviously anecdotal, but that was not my personal experience. I was
getting ready to go to bed last night when I saw this and grabbed my tablet to
see if I needed to worry. This bolded bit was the first thing I saw, and I
immediately thought "hm, must have been over-exaggerated, no SSNs were
exposed". Now I obviously read on and saw the bullet point, but for someone
skimming this, it's not at all obvious.

But further, why even word it that way? It was clearly done intentionally.
There's no need for this to be presented in this way other than to
intentionally try to mislead. Why not just say, in bold letters "140,000
social security numbers and 80,000 bank account numbers were compromised". Or
say it "The following were compromised".

------
shiftpgdn
> hacked into a cloud-computing company server, federal prosecutors in Seattle
> said

> the cloud-computing company, on whose servers Capital One rented space,
> wasn’t identified in court papers.

Does this feel like it was just an S3 bucket with permissions set incorrectly?
I've come across sensitive documents in S3 buckets with a well crafted google
search.

~~~
united893
Actually looks like she worked for Amazon on S3. So there might have been some
insider knowledge. From the complaint below, and googling her name you can
find her resume

I won't link it here, but here's a screenshot of a snippet:
[https://i.imgur.com/NezWVKw.png](https://i.imgur.com/NezWVKw.png)

~~~
yborg
I know that reading the actual linked content on HN is verboten, but the
Bloomberg story says

"Thompson was previously an Amazon Web Services employee. She last worked at
Amazon in 2016, spokesman Grant Milne said. The breach described by Capitol
One didn’t require insider knowledge, he said."

~~~
floatingatoll
“Didn’t require” is a very precise way of stating a truth about the
vulnerability that was exploited, while neither confirming nor denying whether
her role at Amazon was in some way responsible for her discovering the
vulnerability.

(If I could query all AWS permissions for publicly exploitable permissions,
that would comply, for example.)

~~~
Ajedi32
The AWS spokesman quoted in the article also explicitly says it wasn't a
vulnerability.

~~~
floatingatoll
Do you consider an access control misconfiguration to be a vulnerability? Does
Amazon?

Point stands; they’re being very careful to say that there aren’t any CVEs,
but they are also very carefully _not_ saying whether she abused the
privileges of her role to identify misconfigurations more rapidly than she
could have otherwise.

~~~
lanstin
Detailed knowledge of a system gives you all kinds of knowledge about how to
exploit it. You don't need special access if you know X% of users misconfigure
feature Y.

~~~
floatingatoll
It's not about _knowing_ that X% are misconfigured, it's about whether special
access or circumstances led to _locating_ them more efficiently than the
general public could have.

Special access can make the difference between "locating X% of misconfigured
users in a single admin panel query" and "locating X% of misconfigured users
by scanning every S3 bucket in existence without being caught".

Or to draw a weak analogy, knowing that a closed-source PRNG algorithm is
defective does not necessarily help locate all keys generated by it, but
having access to force it to generate numbers for you (or to study its source
code) absolutely does help.

------
iancarroll
I downloaded the indictment (edit: complaint, not indictment) from PACER:
[https://www.dropbox.com/s/z7u5rxcdajuvw6t/19718675504.pdf?dl...](https://www.dropbox.com/s/z7u5rxcdajuvw6t/19718675504.pdf?dl=0)

~~~
icelancer
Good lord.

-Paige left code used in the "attack" on her GitHub.

-Paige left text files with unencrypted data there, too.

-Paige openly posted about it in an open (!!!) Slack channel and publicly named her VPN service of choice, which of course, matched access logs AND GitHub server logs. (Also tor, which the FBI agent was able to confirm and add yet another data point)

-Paige said "I have a leak proof IPredator router setup." nice.

Nice opsec there. Sheesh.

EDIT: Thanks for the PACER share, by the way.

~~~
dmix
It says she posted on "social media" (Twitter) about it, claiming to have
Capital One information, "and that she recognizes that she acted illegally".

Nothing about Opsec here. She basically asked them to arrest her. Probably had
some of the usual motivations: "look at me I'm clever", "look at this stupid
big company with bad security", or maybe used the opportunity for some
political thing with banks. Not the sophisticated hacker type. But who knows.

Edit: originally I asked about her Github profile listed in the complaint as
paigea(5x * characters)thompson but was iffy on whether that was okay on HN.

~~~
curiousgal
[https://gist.github.com/paigeadelethompson](https://gist.github.com/paigeadelethompson)

Not much is left.

~~~
rajeshp1986
Her gitlab account shows it was updated just few hours ago. How is this
possible?

[https://gitlab.com/netcrave](https://gitlab.com/netcrave)

~~~
curiousgal
When you star a project it gets "updated" even if you unstar it. Kinda like
Unix's _touch_ command.

------
imoldtoo
Instead of focusing on the lady involved, perhaps holding Capital One
accountable for their part in the matter may be a better thrust to this
thread.

While it might not be okay to instigate such breaches, we might also consider
it the actions of a whistleblower. Especially given the unusual way she went
sbout disclosing things.

Sure, perhaps there is a little bit of hey look at me about it, but at the
bottom of the trough it is actually the corporation that has ultimate
responsibility.

I look forward to a statement from Capital One of regret that they allowed the
breach to happen and will strive for better standards of security.

And that is actually a message for the entire industry.

------
encoderer
If I came across an s3 bucket with my credit application details and I could
delete it, I would probably do it and then report to their security team. It’s
MY data security they’re being casual with.

It occurs to me now that if I did that it would likely be a crime because of
the harm to the company. The irony.

~~~
dmix
Who cares if it has your data in it or not. Just report it to authorities and
the guy who runs haveibeenpwned.

Plus what are you going to do with credit card applications anyway? Sell them
to a marketing company with some phony story? Or the 'sell them on the darknet
to fraudsters in Russia' angle? Unless you're already involved in some dirty
business already this isn't very valuable.

~~~
syntheticcdo
I would imagine complete credit card applications contain the type of
information identity thieves would be willing to pay good money for.

~~~
gowld
By now everyone's identity data is already widely disseminated, no?

~~~
Consultant32452
I operate under the assumption my name, address, email, social media profiles,
social security number, place of birth, and mother's maiden name are all
easily available in the wild. I've bought one of those online background
checks before, at the very least I can be confident the info on that report is
available to anyone.

------
hello_asdf
Why am I finding out about this from the news and not an email from Capital
One themselves? I wish there was legal liability to inform customers in the
event of a data breach.

~~~
teej
They are legally obligated, especially in California, to disclose part or all
of this breach to customers. But that obligation is not immediate. Give it
some time.

~~~
dontbenebby
Do they need to notify those of us not located in California?

~~~
tjalfi
YMMV, but all 50 U.S. states require some sort of notice for security
breaches.

------
KirinDave
I was there when C1 negotiated that deal with Amazon and they swore it
couldn't happen but of course, we all know that's false.

~~~
lettergram
Miss the LevelMoney folks...

Yeah AWS can’t protect you against a misconfigured environment

~~~
elliekelly
Are there AWS experts who can do some sort of quick audit or "sanity check" of
an environment's configurations? AWS almost makes it _too_ easy for someone
who only sort of knows what they're doing (like me) to get things up and
running.

~~~
dopylitty
There are many different automated systems for checking for misconfigurations
in your AWS organization. Capital One even developed a very popular one (Cloud
Custodian). Like most automated configuration checkers or monitoring systems
they rely on being configured by experts because at their default settings
they are mainly a source of annoying alerts that end up auto-filed to email
folders you never look in because this is agile and we can rationalize the
alert rules in the next iteration (we won't). They can also auto apply
actions. Have fun debugging your Cloud Formation stack that failed because the
automated checker system terminated the instance without notifying anyone
because it was missing a required tag.

As useless as these checkers are, the main problem is that there are so many
different ways to gain access to resources that it's almost impossible to have
a system that's useful to the business while also provably secure either
manually or automatically.

Don't forget even AWS themselves created a "managed" policy for some minor
service which accidentally gave users root access in the account:
[https://medium.com/ymedialabs-innovation/an-aws-managed-
poli...](https://medium.com/ymedialabs-innovation/an-aws-managed-policy-that-
allowed-granting-root-admin-access-to-any-role-51b409ea7ff0)

------
40acres
Generally it's not a good idea to sabotage your employer's clients, but I
wonder how many engineers across the Big 3 US cloud providers have the know-
how to exploit holes in how Forture 500 companies use their platforms.

~~~
cj
This is a legitimate risk.

At a minimum, AWS Support has near complete read access to AWS accounts in
connection with support cases.

It would be interesting to hear from an AWS employee how access to customer
information is controlled.

~~~
joncrane
Metadata, yes. But not content. So they can see you have 200 c5.9xlarges
running in 3 AZs in 3 subnets in one VPC, for example.

But they can't see what you have on the volumes attached to those instances,
what processes are running, etc.

~~~
vaesh
I've had AWS support tell me exactly what processes are running on my
instance. They do seem to have some visibility beyond metadata.

~~~
yandie
I'm an Amazon employee here - but my words don't represent the company.

Internally we also talk to AWS support. They absolutely don't have much
visibility into our accounts at all - much to my frustrations. They only see
metadata - even for internal accounts.

The only teams that have some access to such information is security team, or
when you Grant access explicitly to the other person via standard AWS auth
mechanism (IAM)

------
danellis
This spooked me. I thought I recognized the name, and then I remembered she
had recently contacted me out of the blue on meetup.com to ask if I was
interested in doing some urban exploration. I said yes, but we never got
around to picking a day. Now I'm kind of glad we didn't!

~~~
faissaloo
I'd be kinda bummed I didn't

------
ryanmarsh
After reading the affidavit it was a former AWS employee. The accused worked
there from 2015-2016 and it’s not immediately clear that it was a
misconfigured S3 bucket. There’s a particular IAM role she used to execute API
commands (ListBuckets, etc..). The buckets contained credit card applications
and other data including DOB and SSN. She gloated about it on Slack and said
she was using a VPN and Tor.

The affidavit is a good read. Linked elsewhere in this thread.

------
otterley
Anyone have a copy of the complaint handy? I'd love to read the Government's
allegations in more detail.

(Edited: complaint, not indictment.)

~~~
otterley
DOJ press release:

[https://www.justice.gov/usao-wdwa/pr/seattle-tech-worker-
arr...](https://www.justice.gov/usao-wdwa/pr/seattle-tech-worker-arrested-
data-theft-involving-large-financial-services-company)

""" A former Seattle technology company software engineer was arrested today
on a criminal complaint charging computer fraud and abuse for an intrusion on
the stored data of Capital One Financial Corporation, announced U.S. Attorney
Brian T. Moran. PAIGE A. THOMPSON a/k/a erratic, 33, made her initial
appearance in U.S. District Court in Seattle today and was ordered detained
pending a hearing on August 1, 2019.

According to the criminal complaint, THOMPSON posted on the information
sharing site GitHub about her theft of information from the servers storing
Capital One data. The intrusion occurred through a misconfigured web
application firewall that enabled access to the data. On July 17, 2019, a
GitHub user who saw the post alerted Capital One to the possibility it had
suffered a data theft. After determining on July 19, 2019, that there had been
an intrusion into its data, Capital One contacted the FBI. Cyber investigators
were able to identify THOMPSON as the person who was posting about the data
theft. This morning agents executed a search warrant at THOMPSON’s residence
and seized electronic storage devices containing a copy of the data. """

~~~
thinkmassive
Sounds less like intrusion and more like accidental exposure by Capital One.

~~~
sdinsn
It sounds like an internal threat to me (she was an employee at Amazon).

~~~
lawnchair_larry
Not at the time of the hack. Insider access was not used.

------
detcader
I don't trust in the U.S. justice system to handle every crime and person as
it should but for us, context is important: This person's Twitter is
0xA3A97B6C, y'all can go there and get a better picture of the situation.

~~~
razorwolf
So much evidence of mental illness there (see also Facebook). I hope this
person gets help, but given their claim to also be in the country illegally
(Tuvalu), who knows.

I was ready to think this person was being set up by someone who didn't like
her, given how exposed she was to being identified, but the Twitter and FB
posts strongly suggest a vulnerable person making poor decisions instead.

~~~
lemax
Given that Ms. Thompson is transgender [0], it's likely a lot was stacked
against her emotionally. 40% of trans-identifying individuals to attempt
suicide [1]. This is a disappointing omission from the reporting and the road
that lies ahead for Ms. Thomson in the hands of the federal prison system is
surely horrifying.

[0]
[https://twitter.com/0xA3A97B6C/status/1152518528907354112](https://twitter.com/0xA3A97B6C/status/1152518528907354112)
[1]
[https://transequality.org/sites/default/files/docs/usts/USTS...](https://transequality.org/sites/default/files/docs/usts/USTS-
Executive-Summary-Dec17.pdf)

~~~
rasz
I wonder if it could be an effective legal defense for her, akin to plot of
Soderbergh Side Effects (2013). "not guilty by reason of insanity" due to
hormonal treatment, there are precedents

[https://www.charlotteobserver.com/news/local/crime/article64...](https://www.charlotteobserver.com/news/local/crime/article64105547.html)

[https://ps.psychiatryonline.org/doi/full/10.1176/appi.ps.53....](https://ps.psychiatryonline.org/doi/full/10.1176/appi.ps.53.1.27)

[https://www.mercurynews.com/2012/08/21/man-acquitted-
after-a...](https://www.mercurynews.com/2012/08/21/man-acquitted-after-ambien-
defense-now-faces-parole-board/)

~~~
amyjess
As a transgender person, I can tell you that estradiol absolutely cannot
induce insanity. At the absolute _most_ , it can screw with your emotions in
the same exact ways as PMS (and PMS is indeed caused by hormonal
fluctuations).

The idea that it's on the same level as ambien is absurd.

~~~
rasz
NGRI is just a legal term covering committing a crime while not in full
possession of ones faculties, not limited to the put me in the cuckoo house
stuff people tend to associate with the word.

------
WrtCdEvrydy
Stolen from someone else but:

I wonder if we should create a new BSI (Broken System Interconnection) model

1 - Customer

2 - Former Employee

3 - Current Employee

4 - Bitcoin Miners

5 - Unknown Hackers

6 - Own Government

7 - Foreign Government

8 - Hardware Vulnerability

------
grier
What was Slack's role in all of this?

They appear to have turned over historical images and chat logs, not just for
the person indicted, but even others in the same channel.

Did the FBI ask nicely or was there actually some formal process?

~~~
Nbadal
Some of the conversation occurred on her Slack server, which as of an hour or
two ago was still completely open/public via an invite linked shared on
Meetup.

The entire server chat log is a few Google searches away.

~~~
icelancer
Right. It was an open Slack group. It's likely the Special Agent is the source
of those logs and photos; no need for Slack to confirm anything except for
metadata to authenticate the logs (if that's even necessary for yet another
nail in the coffin).

------
Scoundreller
"According to Capital One, its logs show a number of connections or attempted
connections to Capital One’s server from TOR exit nodes"

Now there's a fail.

~~~
megous
How's that a fail?

~~~
cfors
They should not be letting egress traffic through to a Tor node.

~~~
joncrane
Is there enough space in an S3 bucket access policy to include DENY rules for
every known Tor IP address?

~~~
Scoundreller
By the sounds of it, the s3 bucket was internally accessible only. But
attacker connected through the corp's Web Application Firewall after grabbing
the credentials to login to the S3 bucket.

~~~
joncrane
"Internally accessible only" just means you have to have credentials to access
it.

You can also add IP address restrictions to a bucket access policy; this was
obviously not done here because once she had the credentials, it didn't matter
where she was accessing from.

------
warmcat
How is this person's information wiped off the Internet? I literally cannot
find anything related to her. Is it just me?

~~~
huehehue
Just keep refreshing this page, people seem to have no problem linking her
information all over this thread.

I get that much of this info is already public, but this feels like borderline
doxxing.

------
pseudolus
The New York Times has also picked up the story:
[https://www.nytimes.com/2019/07/29/business/capital-one-
data...](https://www.nytimes.com/2019/07/29/business/capital-one-data-breach-
hacked.html)

~~~
duxup
>Seattle Warez Kiddies

That is some old school naming.

------
jlgaddis
Apparently she used "erratic" as a pseudonym.

After reading through some of the complaint, it seems quite fitting.

~~~
Scoundreller
Quite possibly self-aware of their own ups and downs.

But that can get you in trouble when you're playing with fire.

------
WalterBright
I wonder why data security professionals don't practice compartmentalization.
100 million accounts should not be accessible from one account. It should be
like watertight compartments in a ship. Breaching one doesn't sink the ship.

~~~
lawnchair_larry
Data security professionals don’t make these decisions, random developers do.
And they do what is easiest.

~~~
JudgeWapner
At most large companies, IT sets the policy and developers are required to
work within that policy. I've worked at about 10 jobs. The only one where devs
could write their own ticket was a startup

~~~
lawnchair_larry
IT doesn’t have any involvement when it comes to S3 buckets at any company
I’ve seen. Anything in a cloud tenancy is devops acting with autonomy.
Sometimes they have a security person review it, but many companies don’t do
that, and the ones that do have way more moving parts than their security
engineers are capable of reviewing, so stuff gets through.

Even then, it’s unlikely that a security person would recommend
compartmentalizing this particular data set. Any application that needs access
to some of it probably needs access to all of it, and it makes little
difference if you compromise a server and get one key or if you get 30 keys.
The trust boundaries haven’t moved, so it would increase cost without really
mitigating any threats.

------
seibelj
I guess this is how we all finally get paid for our data. Just continually
file for our $125 check as every company that exists is hacked over the next
decade.

~~~
Rebelgecko
FYI, getting a $125 check from Equifax is contingent on most of the people
that are eligible to get one not actually requesting it. It'll probably be
less

~~~
mandelbrotwurst
Yeah, there's only $31M allocated for those payouts :/

~~~
DangitBobby
So less than 5% of the settlement goes to people affected? Yes, that seems
reasonable...

~~~
mandelbrotwurst
Right? Also just FYI I pulled that number from

[https://www.theverge.com/2019/7/26/8932398/equifax-
settlemen...](https://www.theverge.com/2019/7/26/8932398/equifax-
settlement-125-claim-wont-get-money-alternative-reimbursement-compensation)

------
dang
Company statement discussed here:
[https://news.ycombinator.com/item?id=20561212](https://news.ycombinator.com/item?id=20561212)

------
jammygit
> Capital One Financial Corp. lost data from as many as tens of millions of
> credit card applications after a Seattle woman hacked into a cloud-computing
> company server

> The cloud-computing company, on whose servers Capital One rented space,
> wasn’t identified in court papers

I can’t tell whether the company virtual server got hacked or whether the
cloud provider was who got breached. Hopefully just the vm

~~~
cfors
Well, the main cloud Capital One uses is Amazon as far as I know.

If you think about the attack vectors here, it was most definitely the virtual
server that got attacked. If it was the cloud provider (Amazon), there are a
lot of safeguards that these banks use to make sure that any data that touches
the shared server persistent storage is encrypted. And when I say safeguards,
I mean automation to make sure that this sort of scenario shouldn't ever
happen.

This is a huge blow for the public cloud and financial services companies,
unfortunately.

Edit: Seemingly a WAF firewall issue. I wonder what happened. These rules
should be applied automatically for Capital One using Cloud Custodian [0], so
a config issue definitely occurred somewhere.

Final edit: A leaked account with access to IAM permissions. Good lord was
occam's razor correct here.

[0] [https://github.com/cloud-custodian/cloud-
custodian](https://github.com/cloud-custodian/cloud-custodian)

~~~
kapilvt
so I wrote the majority of cloud custodian and still maintain it. I no longer
work at capitalone (since jan 2019). afaics the suspect
([https://www.linkedin.com/in/paige-t-704a29188/](https://www.linkedin.com/in/paige-t-704a29188/))
worked at AWS 3 years ago is also irrelevant which its why its not part of the
filing.

the best link for understanding what happened is actually the court case
filing not the media reports. [https://www.justice.gov/usao-wdwa/press-
release/file/1188626...](https://www.justice.gov/usao-wdwa/press-
release/file/1188626/download)

so this isn't a case of s3 bucket being public/wide open, its a case of a waf
iam permissions being overly broad if I'm parsing the filing correctly. Its
unclear how the waf product was hacked/bypassed and its credentials obtained.

wrt to custodian in this equation, its not really related afaics, custodian
has lots of filters to help determine stuff like is my ec2 or anything with
iam role (lambda, etc) overly permissive wrt to permissions (check-permissions
filter). it also has the ability to filter individual statements and access on
any resource (s3, lambda, etc there are many) with an embedded iam policy on a
fine grained basis (allow y accounts but not x accounts) to protect against
account level access (cross-account filter). And the ability on ec2 via guard
duty alerts to auto remediate (suspend, memory snapshot, yank role, volume
snapshot). its used by lots of users/enterprises across the governance,
security, cost-optimization domains because its flexible and supports many
clouds.

~~~
october_sky
Thanks for writing Cloud Custodian. What are you working on these days?

~~~
kapilvt
Still working on custodian, k8s integration up next. else atm. trying to
ensure that the next 20 years of opensource are open.

------
ArchD
"I sincerely apologize for the understandable worry this incident must be
causing those affected." \- CEO

He worded it carefully. He's not apologizing for the actual and potential harm
of the breach so as to not take responsibility for it. Not a real, sincere,
apology, but just a legally defensive move.

------
gregw2
I'm still not clear what I need to do to protect myself from a similar class
of misconfiguration mistakes.

"The first command, when executed, obtained security credentials for a role
known as ____*-WAF-Role " says the affadavit.

Was some web app of CapOne coded so the JavaScript app fetched IAM credentials
over HTTP so it could do its job by accessing some other S3 bucket?? And thats
how Paige or someone she knew found the toehold in? That would be pretty brain
dead. Or was it more subtle in terms of pure WAF misconfiguration?

------
MH15
Can someone ELI5 how one bank has critical information on 100M US individuals?
Is this metric representative of accounts or anyone involved in a transaction
with a Capital One account?

------
peternicky
Is it just me or is there no mention from Capital One WHERE customers can go
to

1) check if they were affected by this breach and

2) what customers who are affected should do??

great way to start the day...

~~~
EricE
What to do? Freeze your credit!

[https://krebsonsecurity.com/2018/09/credit-freezes-are-
free-...](https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-
ice-age-begin/)

Not just for this breach but for all the past and current ones we don’t know
about and future ones that will happen.

The real problem is there is zero security/identity management in our
financial systems which is beyond nuts in this day and age.

------
EricE
If you haven’t frozen your credit report yet, what are you waiting for?!?

[https://krebsonsecurity.com/2018/09/credit-freezes-are-
free-...](https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-
ice-age-begin/)

------
dwighttk
Capital One's response:

[https://www.capitalone.com/facts2019/](https://www.capitalone.com/facts2019/)

~~~
tictok4
>Importantly, no credit card account numbers or log-in credentials were
compromised and over 99 percent of Social Security numbers were not
compromised.

Cool, just other stuff, such as name, address, income, credit score,
_transaction history_ , payment history, ya know, nothing too important or
personal..

Arguably the least important data element is the account number...

------
koolba
How does one find out if their account info was part of this?

------
gfuture2019
this breach does not add up alot of inconsistencies. Also right during the
passing of the new law Shield Act

------
buboard
Yeah but AWS had better tooling

------
girzel
Dear "Seattle Woman": while you're in there, please dump Capital One's junk
mail database, and set their address label printer on fire.

Sincerely, another Seattle resident with a mailbox.

~~~
ac29
[https://www.optoutprescreen.com/](https://www.optoutprescreen.com/) should
handle most of that. Yes, its legit [0].

[0] [https://www.consumer.ftc.gov/articles/0148-prescreened-
credi...](https://www.consumer.ftc.gov/articles/0148-prescreened-credit-and-
insurance-offers)

~~~
singlow
Sorry not going to hand my SSN over to some random website to opt out from
junk mail.

------
andeebe
Hi all. To anyone concerned that Capital One holds your personal data, you can
find out if they do by using our free tool. Hope this helps

Apple [https://apps.apple.com/gb/app/tap-my-
data/id1436042237?mt=8%...](https://apps.apple.com/gb/app/tap-my-
data/id1436042237?mt=8%20%E2%80%A6)

Android
[https://play.google.com/store/apps/details?id=io.taprewards....](https://play.google.com/store/apps/details?id=io.taprewards.app)

And if you're personal data has been involved in the Capital One breach. Find
out what steps you should take next (TLDR):

• Change your usernames and passwords

• Keep an eye on your bank accounts and credit report

• Be wary of any emails regarding the breach

[https://tapmydata.com/my-personal-data-has-been-involved-
in-...](https://tapmydata.com/my-personal-data-has-been-involved-in-a-breach-
what-can-i-do-next/)

------
grayed-down
I'll be spec'ing a project soon where I think the organization's data should
be self hosted. I'm going to show them this piece.

~~~
longcommonname
A news article is a terrible reason to make engineering decisions.

~~~
grayed-down
I single news article, certainly. A handful of news articles, probably. But
news articles can be effectively used to support strategic decision making.
It's done all the time.

In my case I believe that putting trade secrets on an AWS cloud instance just
doesn't seem like a good idea.

------
nodesocket
> She is charged with a single count of computer fraud and faces a maximum
> penalty of five years in prison and a $250,000 fine. Her lawyer declined to
> comment.

We need to start putting the hammer down on these people; maximum five years,
meaning she/he will probably do one year. The US needs to start making
examples and these people and increase penalties.

~~~
PopePompus
I'd rather see the hammer applied to the companies that allow the data to be
stolen.

~~~
nodesocket
From what I read in the complaint, it wasn't as blatantly bone headed as other
breaches. Seemed to be an IAM permission issue related to AWS WAF.

This argument is constantly made on HN and it is analogous to; you left your
back door open at your house, and instead of arresting and prosecuting the
robber, we are going to arrest you. Sure, I made a mistake and left my back
door open, but that doesn't give the robber the right to break in and steal my
stuff. It is lacking a moral compass and sense of right and wrong. There needs
to be consequences for bad behavior.

~~~
PopePompus
I think it's more like I left the back door of _your_ house open, without ever
having permission to access your house, and you got robbed because of that.

I admit the Equifax situation was worse. The people whose data was lost by
Capitol One probably at least have some sort of business relationship with
that company (for example, they may have applied for a credit card). I had no
business relationship with Equifax at all, yet apparently information about me
was leaked. I don't buy anything on credit, so I don't give a tinker's damn
what my credit score is. Equifax provides no value to me whatsoever, yet I now
have to worry about information they collected about me with no authorization
from me. I'd like that company to be sued into bankruptcy.

~~~
yub
The closest analogy would be that you gave me your house key so I could go in
and water your plants while you’re on vacation (signing up for an account),
but someone grabbed the key off my counter because I left my back door
unlocked. The folks who had their information leaked in this instance had
signed up for accounts with C1.

