UPDATED 22:05 EST / JULY 29 2019

capitalone SECURITY

In huge breach, 100M customer records stolen from Capital One

Data relating to more than 100 million Capital One Financial Corp. customers has been stolen after a misconfigured firewall enabled a hacker to access the data stored in the cloud.

The data breach, one of the largest of a big bank, took place between March 12 and July 17 but only came to light after the alleged hacker, 33-year-old Paige A. Thompson from Seattle, posted information about the theft online. Thompson, who has since been arrested by the U.S. Federal Bureau of Investigation, allegedly posted some of the stolen data on GitHub using her own name April 21.

What Thompson did with the data, aside from sharing some of it online, is not as yet clear but the amount of data accessed is. The data relates to 100 million Capital One credit card applicants and holders in the U.S. and 6 million in Canada.

The data was stored on Amazon Web Services Inc.’s S3 cloud storage, but Capital One today took responsibility for the misconfiguration that led to the theft and AWS wasn’t at fault. According to court papers, Thompson, a former AWS employee, got access to the data through a misconfiguration of a firewall on a web application, allowing her to access the server where the data were stored.

The data primarily consisted of credit card applications that included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income. The applications also included “portions of credit card customer data” including credit scores, credit limits, balances, payment history, contact information and “fragments of transaction data.”

In addition, 140,000 Social Security numbers were stolen along with 80,000 linked banked account numbers of U.S. customers while 1 million Social Insurance Numbers were stolen from Canadian Capital One customers.

Officially, Capital One is spinning the data breach as being one lead by a “sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure,” making it out to be some sort of serious hack.

The court complaint (below), however, shows that access was gained because Capital One failed to deliver on basic cloud security: securing an S3 storage “instance” in AWS’ cloud. Worse still, Capital One didn’t even know about the data breach until receiving an email July 17 from an unnamed person saying that “there appears to be some leaked S3 data of yours in someone’s github.”

The fact that the data wasn’t technically hacked is even reflected in the charge against Thompson: intentionally accessing a computer without authorization. She doesn’t stand accused of hacking despite claims by some publications but of accessing publicly exposed information because a multibillion-dollar company failed to configure an S3 instance properly, which is basic cloud security.

The only strange part of the story is that Thompson published some of the data on GitHub under her own name and made no attempts to hide her identity. That can presumably only have been intentional, but even if not, she doesn’t appear to meet the description of being a “sophisticated individual” as claimed by Capital One.

Capital One likely won’t be the last to expose data in this way. The list of companies exposing data via a misconfigured AWS S3 instances is a long one, including Accenture PLCU.S. Army Intelligence and Security CommandVerizon Communications Inc.TigerSwanFedEx Corp.OctolyTrue Corp. and Veeam Software Inc.

Photo: Billy Hathorn/Wikimedia Commons

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.