In huge breach, 100M customer records stolen from Capital One
Data relating to more than 100 million Capital One Financial Corp. customers has been stolen after a misconfigured firewall enabled a hacker to access the data stored in the cloud.
The data breach, one of the largest of a big bank, took place between March 12 and July 17 but only came to light after the alleged hacker, 33-year-old Paige A. Thompson from Seattle, posted information about the theft online. Thompson, who has since been arrested by the U.S. Federal Bureau of Investigation, allegedly posted some of the stolen data on GitHub using her own name April 21.
What Thompson did with the data, aside from sharing some of it online, is not as yet clear but the amount of data accessed is. The data relates to 100 million Capital One credit card applicants and holders in the U.S. and 6 million in Canada.
The data was stored on Amazon Web Services Inc.’s S3 cloud storage, but Capital One today took responsibility for the misconfiguration that led to the theft and AWS wasn’t at fault. According to court papers, Thompson, a former AWS employee, got access to the data through a misconfiguration of a firewall on a web application, allowing her to access the server where the data were stored.
The data primarily consisted of credit card applications that included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income. The applications also included “portions of credit card customer data” including credit scores, credit limits, balances, payment history, contact information and “fragments of transaction data.”
In addition, 140,000 Social Security numbers were stolen along with 80,000 linked banked account numbers of U.S. customers while 1 million Social Insurance Numbers were stolen from Canadian Capital One customers.
Officially, Capital One is spinning the data breach as being one lead by a “sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure,” making it out to be some sort of serious hack.
The court complaint (below), however, shows that access was gained because Capital One failed to deliver on basic cloud security: securing an S3 storage “instance” in AWS’ cloud. Worse still, Capital One didn’t even know about the data breach until receiving an email July 17 from an unnamed person saying that “there appears to be some leaked S3 data of yours in someone’s github.”
The fact that the data wasn’t technically hacked is even reflected in the charge against Thompson: intentionally accessing a computer without authorization. She doesn’t stand accused of hacking despite claims by some publications but of accessing publicly exposed information because a multibillion-dollar company failed to configure an S3 instance properly, which is basic cloud security.
The only strange part of the story is that Thompson published some of the data on GitHub under her own name and made no attempts to hide her identity. That can presumably only have been intentional, but even if not, she doesn’t appear to meet the description of being a “sophisticated individual” as claimed by Capital One.
Capital One likely won’t be the last to expose data in this way. The list of companies exposing data via a misconfigured AWS S3 instances is a long one, including Accenture PLC, U.S. Army Intelligence and Security Command, Verizon Communications Inc., TigerSwan, FedEx Corp., Octoly, True Corp. and Veeam Software Inc.
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.