The massive Capital One data breach that compromised the personal information of 100 million credit card customers and applicants serves as a stark reminder that misconfigurations and malicious insiders can defeat the most well-intentioned cyber defenses, even when companies rely on a third-party cloud service to securely manage their data.
In the case of Capital One, Seattle-area woman Paige Thompson stands accused of leveraging a misconfigured web application firewall last March to access the finance company's files, hosted on Amazon Web Services S3 servers.
The storage buckets contained data that Americans and Canadians filled out on their credit card application forms, including names, addresses, zip/postal codes, phone numbers, email addresses, birth dates and self-reported income. Other compromised data included credit scores, credit limits, balances, payment histories, contact information, fragments of transaction data and, in a small subset of cases, Social Security numbers, linked bank account numbers and social insurance numbers.
A federal complaint filed by the Department of Justice in the District of Western Washington alleges that Thompson on April 21 publicly posted certain data related to the breach on GitHub. Included in the post was a list of more than 700 folders or buckets containing customer data, as well as code for commands that could be used to obtain Capital One credentials, enumerate folders or buckets of data from AWS, and then extract said data.
Thompson, who according to the DOJ uses the hacker alias "erratic," was an AWS employee from 2015-16, a revelation that suggests she could have leveraged her knowledge and status as a former insider to help breach Capital One. An official DOJ complaint theorizes that Thompson may have breached other organizations as well, based on references she made on social media. Recent news reports indicate that other victimized organizations may potentially include Michigan State University, Italian bank UniCredit SpA (the company reportedly stated in a memo that it found no evidence that it's data was accessed or compromised), the Ohio Department of Transportation, Vodafone, Infoblox and Ford.
"The Capital One breach is a classic example of the 'insider threat' which has been present since the first merchant hung a shingle and sold goods and is certainly not limited to the digital age. [But] the insider threat is not limited to employees and extends to third-party providers as Capital One fell victim to," said Michael Magrath, director, global regulations and standards at OneSpan. "The third-party provider threat is a concern for CISOs and regulators alike, which is why the New York Department of Financial Services' Cybersecurity Requirements for Financial Services Companies include specific requirements regarding third-party service providers. Under the regulation, banks and financial services providers must secure their own systems as well as implement third-party risk management programs."
In this instance, the third party is a cloud-based storage service that, in theory, allows enterprises to inexpensively and securely outsource their data management. However, companies that fail to properly configure these storage buckets risk exposing their customers to data theft.
"There is an assumption amongst businesses that a cloud storage provider will provide all of the necessary security protection for the cloud-hosted services," said Matt Aldridge, senior solutions architect at Webroot. "Although many of the leading cloud service providers are beginning to build more comprehensive and advanced security offerings into their platforms, cloud-hosted services still require the same level of risk management, ongoing monitoring, upgrades, backups and maintenance as traditional infrastructure."
"While it's reassuring to see that AWS isn't explicitly at fault for this breach, it's concerning that even established financial institutions with typically strong security practices, are failing to lock things down correctly," Aldridge continued. "This breach should serve as an unfortunate reminder that like all infrastructure components, cloud storage solutions should be properly evaluated, protected and maintained."
Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, agreed. "Cloud storage is an increasingly attractive option for large corporations because it is cheaper than on premise, but attacks like this show that organizations aren’t adopting security with the same vigor. And they should, otherwise the financial cost of penalties and lawsuits will vastly outweigh any IT savings," said Galloway.
"Capital One is a standout in the financial institutions community by going public cloud while most of its peers hedged the risk by implementing additional security controls around their private clouds," said Igor Baikalov, chief scientist at Securonix. "This fact alone shouldn't be considered a setback for the adoption of public cloud. It should rather be viewed as another harsh reminder of the importance of third-party security and insider threat programs for both providers and consumers of public cloud services.
In a press release yesterday, Capital One said that it immediately fixed the configuration vulnerability upon learning of the breach from a July 17 email tip. Furthermore, the company does not believe any of the leaked data was used for fraud.
Capital One admitted that the unauthorized access to the stored data would have allowed for the decryption of any encrypted data; however, especially sensitive data such as Social Security numbers and account numbers was also tokenized. "The method and keys to unlock the tokenized fields are different from those used to encrypt the data. Tokenized data remained protected," the company explained.
However, Jerry Ray, COO of SecureAge, wasn't satisfied. Capital One's claims regarding its encryption practices is weak," said Ray. "Particularly the line about, 'unauthorized access also enabled decrypting,' which goes against the very core function of responsible encryption practices. It's precisely when unauthorized attempts to access data occur that encryption displays its value and worth. What's missing here is the key, literally. What type of key was it? And who had it?"
Thompson, 33, has been charged with one count of computer fraud and abuse. In the DOJ's complaint, FBI Special Agent Joel Martini claims that the GitHub page found containing the breach information incriminates Thompson because its address includes her name. Clicking on that name in the address takes the user to a main GitHub page for Paige Thompson, which includes a link to a separate GitLab page containing Thompson's resume.
Investigators also allegedly found incriminating posts on Slack and Twitter by a user with the alias "erratic," a handle that Thompson allegedly also used on a Meetup page that she created.
In the official legal complaint, Martini writes that a screenshot of Twitter provided by Capital One shows the user "ERRATIC" sending a direct message that says "Ive basically strapped myself with a bomb vest, f**king dropping capitol [sic] ones dox and admitting it" and "I wanna distribute those buckets i think first."
"There ssns...with full name and dob," the message continues, according to the filed complaint.