How it happened: Capital One’s $100-million cyber loss

Credit card issuer Capital One Financial Corp. expects that a massive cyber breach affecting millions of Canadians could cost the firm more than $100 million.

“Expected costs are largely driven by customer notifications, credit monitoring, technology costs, and legal support,” Capital One stated Monday. “We believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.”

Capital One said Monday it has $400 million in cyber insurance with a $10-million deductible. The firm did not explicitly state that it has filed a claim or whether the breach falls within the wording of its policy.

A spokesperson for Capital One Canada declined to comment on who the company’s insurance providers are or on how the breach occurred.

In an affidavit filed Monday in a Seattle court, an FBI agent said “firewall misconfiguration” allowed a person outside of Capital One to send computer commands to a server used by Capital One at a cloud computing provider.

A firewall, which can be either a hardware device or software loaded on to a computer, either blocks network traffic completely or selectively filters traffic coming into and out of a network.

Roughly 6 million Canadians were affected by the breach; 1 million social insurance numbers of Canadians were compromised.

Data exposed include information on consumers and small businesses who applied for credit cards back to 2005. That information includes names, addresses, postal codes, phone numbers, e-mail addresses and dates of birth.

In Canada, Capital One provides Mastercard credit cards for Costco Wholesale’s Canadian retail network and the Hudson’s Bay Company, the Canadian Press reported.

Capital One found out about the breach on July 17 when a person emailed the financial services firm alerting it to a file on the website of Github, a web hosting firm that lets users manage and store revisions to computer programs. That file had a web address that the individual provided by email to Capital One.

Although Github is intended for legitimate software development projects, one file contained information about Capital One. It also provided information about Paige Thompson, who is now in jail.

Specifically, the Github file contained code for three commands, Special Agent Joel Martini of the Seattle Field Office of the FBI wrote in an affidavit filed Monday with the United States District Court for the Western District of Washington in Seattle. The statements in the affidavit have not been tested in court.

One of those commands obtained security credentials for a Capital One computer user account. The second command was used to read a list of names of folders on Capital One’s computers. A third command could copy or extract data from those folders.

Capital One hires a cloud service company to provide computer servers.

“A firewall misconfiguration permitted commands to reach and be executed [by a Capital One server], which enabled access to folders or buckets of data in Capital One’s storage space [at the cloud computing company],” wrote Special Agent Martini.

As a result of the tip it got on July 17, Capital One was able to figure out that on Apr. 21, one of the computer commands was executed, Special Agent Martini wrote in his affidavit.

A computer administrator can tell a firewall which “ports” to use and which ports cannot be used, Doug Cooke, director for sales engineering at McAfee Canada, told Canadian Underwriter earlier, commenting in general and not on any particular incident.

Not setting up rules on outbound traffic is a risk factor that clients may overlook, Mark Nunnikhoven, Ottawa-based vice president of cloud research for Trend Micro Canada, told Canadian Underwriter earlier.

After Capital One told U.S. authorities about its breach, the FBI started tracking Thompson, who uses the online handle “erratic,” CP reported.

The FBI says Thompson is a former employee of the cloud service provider that Capital One uses. She is alleged to have violated a U.S. federal law making it illegal to intentionally access a computer without authorization or to exceed one’s authorized access and obtain information contained in the financial record of a card issuer. The allegations against Thompson have not been proven in court.

CP reported Tuesday that Thompson made an initial appearance in court and was ordered to remain in custody pending a detention hearing Thursday.

“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right,” Capital One CEO Richard Fairbank said in a release.