Capital One has confirmed a ‘data security incident’ which affected more than 100 million customers in the US and Canada – and while Amazon Web Services (AWS) has been identified as the receptacle in which the data was stolen, both customer and vendor appear not to be to blame.
Paige A. Thompson, otherwise known as ‘erratic’, was arrested on Monday and appeared in court in Seattle on a charge of computer fraud and abuse. According to the criminal complaint document (pdf), a ‘firewall misconfiguration’ ensured the vulnerability of the Capital One cloud server.
On July 17, a previously unknown individual emailed Capital One’s responsible disclosure address pointing it to a GitHub account where leaked data resided. “Capital One determined that the [file] contained the IP address for a specific server,” the document notes. “A firewall misconfiguration permitted commands to reach and be executed by that server, which enabled access to folders or buckets of data in Capital One’s storage space at the Cloud Computing Company.”
That cloud computing company, it was later confirmed, was Amazon. The original email, alongside a Slack message purportedly from Thompson, mentioned S3, AWS’ primary storage product. Amazon confirmed this to Bloomberg, adding that the data ‘wasn’t accessed through a breach or vulnerability in AWS systems.’ AWS also confirmed that Thompson had previously been an employee of the company, last working there in 2016.
Capital One is a well-known AWS customer; the company selected Amazon as its ‘predominant cloud infrastructure provider’ in 2016, with the news announced in conjunction with AWS’ re:Invent customer gathering. The financial services provider said at the time it was advocating a cloud-first mindset, with plans to migrate the majority of its core business and customer applications to AWS over the coming five years.
From Capital One’s perspective, the company praised its cloud-first system for the speed at which it was able to remediate the incident. Putting together a specific question-and-answer on the subject in its press materials, Capital One wrote: “This type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data centre environments.
“The speed with which we were able to diagnose and fix this vulnerability, and determine its impact, was enabled by our cloud operating model.”
Capital One noted that no credit card account numbers or login credentials were compromised, as well as less than 1% of social security numbers. The press materials curiously noted that ‘no bank account numbers or social security numbers were compromised, other than… about 140,000 social security numbers of… credit card customers.’
Alex Heid, chief research officer at SecurityScorecard, described the company’s response as ‘commendable’, particularly in its disclosure and bug hunting practices, but added a caveat. “From the standpoint of any business handling large amounts of data, the use of third-party hosting services within cloud computing environments is an unavoidable reality of the modern era,” said Heid. “The attack perimeter of a network goes beyond the organisation itself and is often intertwined with a collection of third-party vendors.
“In addition to making use of a continuous monitoring service for all external assets is an important part of understanding the scope, implementing a bug bounty reporting program will go a long way in making sure there’s always an ‘extra set of eyes’ on assets of value.”
You can take a look at the Capital One page dedicated to the incident here.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.