The story of the hacker who got hold of 100 million Capital One credit applications and accounts keeps getting bigger. First there’s the breach itself — the woman who hacked her way into the AWS S3 buckets openly talked about her exploits on Twitter and Slack with enough details to make it pretty clear what she was doing…

The problem isn’t that she hacked, the problem is that it seems it was actually pretty easy.  In a day and age of frequent breaches, it still seems unconscionable that a company would put so much data under a single access rule. Granted, all that data might need to be accessed by some system or another, but 106 Million records is an awful lot for a simple copy command.

Now Congress is involved as stated in this Forbes article:

Congress Launches Investigation Into Capital One, Amazon For Massive Data Breach
https://www.forbes.com/sites/rachelsandler/2019/08/01/congress-launches-investigation-into-capital-one-amazon-for-massive-data-breach/#5cd5dcfb2ba2

And a few extra news articles can be found around the web as chatter increases on this, unfortunately, classic example of the scope of a corporate breach in 2019:

CNN: A hacker gained access to 100 million Capital One credit card applications and accounts
https://www.cnn.com/2019/07/29/business/capital-one-data-breach/index.html

Kerbs on Secuirty: Capital One Data Theft Impacts 106M People
https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/

USA Today: Seattle woman charged in Capital One breach may have data from other companies
https://www.usatoday.com/story/money/business/2019/07/30/suspect-behind-capital-one-data-breach-may-have-more/1865848001/

The court filing an be found here:
https://www.justice.gov/usao-wdwa/press-release/file/1188626/download