Capital One Hack Highlights Poor Data Security Practices
A former AWS employee has been accused of accessing Capital One’s misconfigured S3 storage buckets and copying the data of about 100 million Americans and 6 million Canadians to GitHub in the country’s latest massive data breach.
Charges were filed Monday against Paige A. Thompson, 33, for illegally accessing Capital One’s data. According to the complaint filed in US District Court in Seattle, Washington, Thompson hacked Capital One’s data in March and April.
Thompson, who lives in Seattle and goes by the screen name “erratic,” illegally accessed more than 700 S3 buckets belonging to Capital One. According to the US Attorney’s complaint, the data contained credit card applications, including approximately 120,000 Social Security numbers and 77,000 linked bank account numbers belonging to Capital One credit card customers.
“Although some of the information in those applications (such as Social Security numbers) has been tokenized or encrypted,” the complaint states, “other information, including applicants’ names, addresses, dates of birth and information regarding their credit history has not been tokenized.”
It appears the FBI was tipped off to Thompson’s activities as a result of comments Thompson made in online groups, including GitHub, Twitter, Slack, and Meetup groups. A GitHub user who saw one of Thompson’s posts alerted Capital One that it may have suffered a data breach on July 17, according to a DOJ press release posted Monday.
“After determining on July 19, 2019, that there had been an intrusion into its data, Capital One contacted the FBI,” the press release states.
The DOJ alleges that Thompson gained access to Capital One’s IP addresses through a misconfigured Web application firewall. The complaint alleges that Thompson used one command from a “Cloud Computing Company” (identified elsewhere as AWS) to list Capital One’s “folders or buckets,” and then another to copy them. She used TOR to conceal her activities, the DOJ alleges.
Thompson faces charges of computer fraud and abuse, which carries a sentence of up to five years in prison and a $250,000 fine. She is due in court for a hearing on Thursday.
News of the Capital One data breach came less than a week after the Federal Trade Commission announced that it has agreed to a settlement with Equifax, which suffered a 2017 data breach that compromised the records of 147 million people. Individuals impacted by the Equifax breach can claim up to $125 to offset credit monitoring coverage, as well as compensation for the impact of identify theft. In total, Equifax is expected to pay anywhere from $575 million to $700 million as a result of its poor handling of data.
While the Capital One and Equifax data breaches both appear to be the result of poor server configurations, that should not be an excuse for losing a handle on the data, argues Steve Marsh, a vice president with Nucleus Cyber, a provider of security software.
“Breaches like this underscore the need to protect the data itself, rather than only focusing on the repository, to make it harder for hackers to access it, even if they successfully get into the system,” Marsh tells Datanami. “The risk is too great for companies to err by solely protecting the data container and not the content within it.”
By applying data-centric protection should to the data contents themselves, and not just the container that they reside in, companies can greatly mitigates the impact of breaches, Marsh says. “Until organizations recognize the need for a data-centric security strategy and implement technologies that can enforce those strategies, we’ll continue to be vulnerable,” he says.
While the hack happened on AWS, that shouldn’t dampen customers enthusiasm for the cloud, argues, Igor Baikalov, chief scientist at Securonix, which develops data lake software for security.
“Capital One is a standout in the financial institutions community by going public cloud while most of its peers hedged the risk by implementing additional security controls around their private clouds,” Baikalov tells Datanami.
“The perpetrator of this breach was identified unusually fast and turned out to be a former employee of AWS, a cloud computing company contracted by Capital One, according to NYT and Bloomberg. This fact alone shouldn’t be considered a setback for the adoption of public cloud. It should rather be viewed as another harsh reminder of the importance of third party security and insider threat programs for both providers and consumers of public cloud services.”