Blog
08.13.2019

Capital One Experiences Third Largest Financial Hack from AWS Insider

The Hacker Gave Herself Away While Others Missed It for Months

Capital One Financial Corp, the world’s fifth largest credit card issuer, now has the dubious distinction of being the third largest financial hack victim in the US. Spots one and two are held by Equifax’s 2017 breach of 143 million consumers and Heartland Payment Systems’ breach of 134 million credit cards in 2008. Capital One’s breach affected 100 million bank customers in the US and 6 million more in Canada.

This story has another major distinction as well. As soon as Capital One announced the breach, the FBI announced it had arrested Paige Thompson, a 33-year old Seattle resident who was behind the hack. She had previously worked as an AWS software engineer, where she learned the inside knowledge to plan the infiltration.

The exposed data included 140,000 Social Security numbers, 80,000 bank account numbers, 1,000,000 Social Insurance Numbers, plus bank account numbers, birth dates, email addresses, phone numbers, and self-reported income. Little left to an identity thief’s imagination.

Another Insider Hack

Thomson, the alleged hacker, got all the data from one Amazon cloud server, illegally accessing and downloading close to 30 GB of data belonging to Capital One credit card applicants.

She had previously worked for Amazon and used prior knowledge to gain access to an AWS server Capital One was renting. She gained access by taking advantage of a misconfigured firewall setting, which was put in place to protect the Amazon Web Services cloud. It’s not clear if Thompson was aware of the weakness specifically or was able to gain access just by using the prior knowledge she had. Either way, neither Amazon nor Capital One caught the error or was aware of her activity and the breach went on for months.

Some believe and are certainly hoping that Thompson had not yet sold the data on the black market. Despite the fairly lengthy dwell time, reports say the stolen data wasn’t extensively leaked. Even though a good deal of information was taken, credit card account numbers and log-in credentials wasn’t among the compromised data. The breach is reported and believed by Capital One to have gone on for close to five (5) months, from March 12 to July 17.

"It appears that the breach was discovered before the alleged hacker had a chance to widely disseminate the information for exploit," said former FBI agent Leo Taddeo, now CISO of Cyxtera Technologies, a secure infrastructure platform provider based in Coral Gables, Florida.

"So, if no additional hackers had access to the same entry point, there is a chance the breach was contained," he told TechNewsWorld.

Capital One is notifying the customers whose 140,000 Social Security numbers and 80,000 bank account numbers, along with other data, was taken. They will provide the usual credit monitoring and identity protection services. Already a Capital One credit card holder has filed a lawsuit against the company for not protecting its customer data. They’ve estimated expenses they expect to hit their bottom line will range from $100 to $150 million this year.

Is the Cloud Too Risky or Does the Blame Belong Elsewhere?

Most large and midsize companies now rely heavily on the cloud for multiple business purposes and for storage. AWS generated $8.4 billion in revenue last quarter, with others, (Microsoft, Azure, Alphabet and Google to name a few) bringing in similarly large revenues.

Amazon says their service behaved as it should have – that the issue was entirely due to user action and misbehavior. Still, the threat remains – in part because we’ve already seen such catastrophies can be brought about accidentally if not intentionally. Mistakes are commonly made when staff is configuring and manipulating firewall settings. A small misstep can result in exposing a Web application inadvertently.

While reported to be technically difficult to breach, AWS servers themselves have experienced huge breaches before due to unintentional configuration errors. In March of 2017, an Amazon employee’s error caused a massive AWS outage, affecting the country. In September of 2019, due to a configuration error, researchers announced the discovery that 7% of all Amazon servers were exposed and vulnerable. (See our blog, Researchers find 7 percent of all Amazon S3 servers exposed, https://virsec.com/researchers-find-7-percent-of-all-amazon-s3-servers-exposed/). Also in 2017, Verizon and World Wrestling Entertainment, Inc., experienced breaches they blamed on setup issues with their AWS servers.

Under both accidental leaks and intentional hacking from a disgruntled employee, these exposures continue to happen to industry giants. Organizations aren’t doing enough to better protect themselves and their customers.

Fines Coming Down for Breaches that Shouldn’t Have Happened
Right before Capital One disclosed it had been breached, news came out that Equifax had agreed to a $700 million fine from the FTC for its breach 2 years ago, along with some stricter regulations to its security. Facebook faced similar music only bigger with its fine at $5 billion. (See our articles Equifax Data Breach Settlement No Wrist Slap, FTC Approves Record $5B Fine for Facebook, and Along with $5B Fine, FTC Hands Down Privacy Controls for Facebook.)

Myriad Mistakes to Go Around

Virsec CTO Satya Gupta's thoughts on the hack reflect multiple failures. "This attacker was careless and boastful and most hackers trying to promote their own skills will get caught. It’s more disturbing that the hacker was not noticed by either Capital One or AWS who employed her – they had no clue until after the fact. Thankfully, ethical hackers were scanning GitHub and looking for illicit data that shouldn’t be there.

There were many serious mistakes made. Capital One’s highly confidential data was accessible to a system admin by a very simple password-based mechanism. They were not using two-factor authentication and clearly no one was monitoring the audit logs. In addition, sensitive data was not encrypted at rest, and no one was auditing access logs. This was the Perfect Storm.

The guidance for consumers in the aftermath of breaches like this one is usually the same and not very satisfactory – carefully monitor your credit and all financial transactions carefully, then hope it’s not you."

The Hacker Was Caught By Her Own Hand

Most of the time, we learn a few details about how the hack happened but we never find out the who. Or if we do, it’s in the form of a nation state country like Russia, North Korea, China.

These days, it doesn’t take nation-state-level sophistication to hack into high-level databases. Thanks to hacking tools being released into the wild years ago, anyone with some technical savvy, some readily available tools and the absence of a moral compass is qualified.

This hack was simply the act of one disgruntled individual who gave herself away because she was compelled to talk about her own ‘accomplishment’. Another developer on GitHub saw her comments about stealing data from Capital One and promptly notified them, Their next call was to the FBI. After searching Thompson’s home with a search warrant, FBI agents removed storage devices from her residence that held Capital One’s data.

Many hackers operate overseas to keep themselves away from laws and jurisdictions of countries like the US. But Thompson didn’t seem to consider this as she carried out and publicized her hack from Seattle.

With charges computer fraud and abuse, she could face up to five years in prison and a fine of $250,000.

What Companies Aren’t Doing But Should Be to Protect Our Data

While companies find the cloud an imperative tool, they often don’t understand its underlying functions and vulnerabilites. Users may assume the cloud is a safe environment. The key is to be proactive about protecting ones data in the cloud, not reactive after a breach has occurred.

Steps companies should be taking:

  • Be educated about the cloud security risks
  • Be informed about the cloud environment, tools and configurations
  • Stay current with patches (learn from Equifax)
  • Monitor employee behavior and access privileges – remove credentials of former employees
  • Know who has access to your data, including through third parties (AWS, etc.)
  • Manage password use and use best practices (change often, avoid easily guessed passwords)
  • Require strong user authentication

For customers, the most important thing they can do when their information has been stolen (and most everyone’s has been) is freeze their credit accounts with Equifax, Experian and TransUnion (do all three). Most consumers do not take this step, but thanks to the Equifax breach, it’s now free to do so and a simple process.

Read full ROUNDTABLE: Huge Capital One breach shows too little is being done to preserve data privacy article

Further resources:

Blogs:

Researchers find 7% of all Amazon servers exposed
Along with $5B Fine, FTC Hands Down Privacy Controls for Facebook

FTC Approves Record $5B Fine for Facebook

Congressional investigation into Equifax breach finds multiple security failures

White paper:

Data Breach Self Protection Guide

White Paper: Why Web Application Firewalls Are Not Enough

Data Breach Self-Protection Guide: 10 Steps for Consumers and 7 Steps for Businesses to Protect Themselves Against Data Compromise Before- & After-the-Fact

Newsletter: Current issue