The Future Is Here
We may earn a commission from links on this page

Capital One Really Dragged Its Ass on the Anti-Hack Stuff: Report

We may earn a commission from links on this page.
Image for article titled Capital One Really Dragged Its Ass on the Anti-Hack Stuff: Report
Photo: Drew Angerer (Getty)

Ahead of a massive data breach that exposed the personally identifiable information of more than 100 million people, a new report claims, Capital One may have failed to take measures to better detect potential hacks—which, from where now stand, seems like a pretty big misstep.

Citing sources familiar with the matter, the Wall Street Journal reported Thursday that employees of the bank “raised concerns within the company about what they saw as high turnover in its cybersecurity unit” and negligence around addressing firewall vulnerabilities. Additionally, the Journal reported, the bank had yet to install software it allegedly purchased over a year ago to help detect breaches, an issue that was raised with the bank’s leadership:

Routine cybersecurity measures to help protect the company sometimes fell by the wayside, some of the people said. For instance, the bank around late 2017 bought software from a company called Endgame to improve its ability to detect hacks, some of the people said. More than a year after buying the software, Capital One still hadn’t finished installing it, one of the people said. The issue was flagged to [cybersecurity chief Michael Johnson], the bank’s internal auditors and others, according to one of the people. It couldn’t be determined how they responded. Endgame declined to comment.


Capital One did not immediately return a request for comment; however, a spokesperson for the company told the Journal in a statement: “Safeguarding information is essential to our mission and to our role as a financial institution. We’ve invested heavily in cybersecurity and will continue to do so.”

For a bank that claims it’s “invested heavily” in security, it sure appears to have taken its sweet-ass time implementing its available preventative measures.


According to an earlier report from the Journal, alleged hacker Paige Thompson—who previously worked for Amazon Web Services, an Amazon-owned cloud service used by Capital One—was able to find a misconfiguration vulnerability in Capital One’s systems and exploited it to extract data on about 6 million people in Canada and roughly 100 million in the United States.

Citing messages and interviews with people familiar with the matter, the Journal reported that security experts “for years have warned about that gap, which the messages and interviews suggest she used to trick a system in the cloud to uncover the sensitive credentials she needed to access the vast number of customer records.”

That data included information found on credit card applications as well as some transaction information, balance statements, contact information, credit scores, and self-reported income. Additionally, the breach exposed roughly 140,000 Social Security numbers and about 80,000 linked bank account numbers, the company said.

Capital One announced breach on July 29 after being alerted to the issue by an individual who saw Thompson post about it online. In a statement at the time, CEO Richard Fairbank apologized “for the understandable worry this incident must be causing those affected and I am committed to making it right.”


In a new court filing this week, prosecutors claimed that evidence found during a search of her home “suggests that Thompson intruded into servers operated, rented, or contracted by over 30 companies, educational institutions, and other entities.” They added that while not all of those additional breaches included theft of personal data, it seems “likely” that some did.

“The government is continuing its investigation, which will take a significant amount of time and resources, given the immense amount of forensic evidence to review,” the filing stated. “To date, however, the government has not uncovered any evidence that would suggest Thompson’s statement that she neither sold, nor otherwise disseminated, any of the data beyond the servers that the government recovered is untrue.”