Your Capital One account was hacked. There was nothing you could have done about it.

People walk past the Capital One Café on Boylston Street. Capital One suffered one of the largest banking data breaches, federal prosecutors revealed this week. Photo by Ruby Wallau/Northeastern University
People walk past the Capital One Café on Boylston Street. Capital One suffered one of the largest banking data breaches, federal prosecutors revealed this week. Photo by Ruby Wallau/Northeastern University

The personal information of more than 100 million Capital One customers was hacked, federal prosecutors revealed this week—and there was nothing the victims could have done to protect themselves, says William Robertson, an associate professor of computer science at Northeastern. 

“When applying for credit, most people would trust a large bank such as Capital One to not mishandle their personal data,” says Robertson, whose research at the Khoury College of Computer Sciences focuses on security improvements for operating systems, mobile devices, and the web. 

William Robertson, an associate professor in the Khoury College of Computer Sciences, focuses on security improvements for operating systems, mobile devices, and the web. Photo by Mariah Tauger/Northeastern University

The theft ranks among the largest suffered by a bank in what has been a global epidemic of online security breaches. A 33-year-old software engineer in Seattle, Paige Thompson, has been arrested and charged with stealing credit-card applications and other information spanning 15 years. 

After being alerted of the breach by a tipster on July 17, Capital One said that it “immediately fixed the configuration vulnerability.”

“We believe it is unlikely that the information was used for fraud,” Capital One added.

That offers little solace to consumers who can no longer be certain of whom to trust in the increasingly vulnerable online universe, asserts Robertson. 

What can people do to keep their information safe?

Consumers should first and foremost be aware that their personal information is valuable. Their names, addresses, social security numbers, and other data can be used for banking fraud, such as opening lines of credit in their name; or can be combined with other information, such as on social media, to compromise their online accounts. As such, one should be careful not to divulge this information to untrustworthy people.

That said, there is little that consumers could have done to protect themselves in this situation.

Fault lies entirely with the bank for failing to properly protect this data in spectacular fashion. The only protection available to consumers would have been to not apply for a credit line from Capital One since 2005 to the present.

What will bring this worldwide plague of data breaches to an end?

There are a large number of technical solutions that can reduce the risk that sensitive data is exposed to attackers. However, it seems clear, given the prevalence of massive data breaches we have seen, that there is insufficient internal incentive to use the security technology we have.

In this case, sensitive data was accessible on vulnerable Amazon cloud instances and storage buckets, which is a clear failure to either encrypt personally identifiable information, or to protect the encryption keys used to protect that data, which is a common failure mode for cloud-hosting provider storage encryption schemes.

What do hackers want with this information? What is the motivation behind hacking?

Oftentimes, such information is used for banking fraud or to facilitate further exploitation. 

However, in this case it appears that the alleged attacker may not have been motivated by financial reasons, but rather by the sport of compromising systems. Curiously, the attacker made numerous posts on Twitter detailing how she compromised Capital One and other organizations, and also maintained a Slack channel with similar information.

For media inquiries, please contact Marirose Sartoretto at m.sartoretto@northeastern.edu or 617-373-5718.