Top Class Actions’s website and social media posts use affiliate links. If you make a purchase using such links, we may receive a commission, but it will not result in any additional charges to you. Please review our Affiliate Link Disclosure for more information.
Security experts have weighed in on the vulnerabilities that caused the recent Capital One hack, in which 100 million private records were compromised.
At first, there had been speculation that it was an “inside job” or a security flaw that may have been known to the software vendor but for which no patch had yet been developed (also known as a “zero day” flaw.) But the most recent investigation suggests that the hacker’s methods have long been understood by security experts.
The Capital One Hack
Authorities arrested a 33-year-old Seattle software engineer, who had previously worked for Amazon, for hacking into an Amazon cloud server where Capital One Bank, a major credit card issuer, stored sensitive financial records of more than 100 million customers.
According to federal prosecutors, the incident was one of the largest data thefts in recent history. The hack snared 140,000 Social Security numbers, 80,000 bank account numbers, 1 million Canadian Social Insurance numbers, and countless credit applications.
Capital One officials have said they do not believe the data was stolen for purposes of fraud. From what is known of the hacker, it appears to have been an attempt to show off and prove it could be done. The woman accused of perpetratrating the Capital One hack did not cover her digital tracks, had mental health issues and bragged on Twitter that she had strapped herself with a virtual “bomb vest.” She threatened to distribute the stolen data even though she knew what would happen to her as a result.
This is small comfort to those whose data was compromised and must now pay for credit monitoring and deal with the possibility of identity theft.
The Role of “Modsec”
“ModSecurity,” or Modsec, is what is known as an open-source Web Application Firewall (WAF). In simple terms, this security module defends servers against the most common vulnerabilities that hackers use to break into a database.
In the case of the Capital One hack, the module was not configured properly. This allowed the hacker to essentially trick the firewall, using a well-known method referred to as a “Server Side Request Forgery” (SSRF). Because the WAF had been misconfigured to list all the files contained in a block of data, the hacker was able to “dupe” the software into revealing everything, according to cybersecurity blog KrebsOnSecurity.com.
Unfortunately, public cloud storage is particularly vulnerable to SSRF attacks.
Is Capital One Responsible?
Regardless of whether or not Capital One actually owned or controlled the compromised server, the company may ultimately bear liability, even if the company that houses the data is actually at fault. However, the extent of liability can vary, depending on the specifics of the case and the economic and psychological impacts of those who were affected.
Join a Free Capital One Data Breach Lawsuit Investigation
If you applied for a Capital One credit card between 2005 and 2019 in the United States or Canada, you may may qualify to join this Capital One data breach class action lawsuit investigation.
This article is not legal advice. It is presented
for informational purposes only.
ATTORNEY ADVERTISING
Top Class Actions is a Proud Member of the American Bar Association
LEGAL INFORMATION IS NOT LEGAL ADVICE
Top Class Actions Legal Statement
©2008 – 2024 Top Class Actions® LLC
Various Trademarks held by their respective owners
This website is not intended for viewing or usage by European Union citizens.
19 thoughts onCapital One Hack: How It Happened
Please add me
Please add me to this law suit
Please add me.
Please add me to this class action law suit. Thank you.
Yes I have 2 capital one cards and after the data breach my information was exposed I’m so terrified even my license number!! I want to be Compensated thank you!!
I’m requesting to be added to the class action suit of data breach from Capital One. My credit card has been compromised at least three times over the last several years. During this time, I have resided in Florida and Virginia.
add me please
please add me