[BreachExchange] Former AWS Engineer Arrested as Capital One Admits Massive Data Breach

Tue Jul 30 10:12:42 EDT 2019

https://threatpost.com/aws-arrest-data-breach-capital-one/146758/

More than 100 million customers have had their data compromised by a
hacker after a cloud misconfiguration at Capital One.

A massive breach of Capital One customer data has hit more than 100
million people in the U.S. and 6 million in Canada.

Thanks to a cloud misconfiguration, a hacker was able to access to
credit applications, Social Security numbers and bank account numbers
in one of the biggest data breaches to ever hit a financial services
company — putting it in the same league in terms of size as the
Equifax incident of 2017.

The FBI has already arrested a suspect in the case: A former engineer
at Amazon Web Services (AWS), Paige Thompson, after she boasted about
the data theft on GitHub.

According to a criminal complaint filed in the Western District of
Washington’s U.S. Attorney’s Office, the intrusion occurred between
March 19 and July 17 via a “misconfigured web application firewall.”

The illegally accessed data, which was stored on cloud servers rented
from AWS, was primarily related to credit-card applications made
between 2005 and early 2019, by both consumers and businesses. These
include a raft of personal information, such as names, addresses and
dates of birth; and financial information, including self-reported
income and credit scores.

According to Capital One, no credit-card account numbers or log-in
credentials were compromised and only about 140,000 Social Security
numbers are impacted, meaning that “over 99 percent of Social Security
numbers” were untouched, the company said. In Canada, about 1 million
social insurance numbers were compromised.

Exposed data also included credit scores, credit limits, balances,
payment history, contact information and fragments of transaction data
from 23 days during 2016, 2017 and 2018.

“I sincerely apologize for the understandable worry this incident must
be causing those affected and I am committed to making it right,” said
Capital One CEO Richard Fairbank, in a statement.

The company added it fixed what it called a “configuration
vulnerability” and that it is “unlikely that the information was used
for fraud or disseminated by this individual” — though investigations
are ongoing.

The company has pledged credit monitoring for those impacted, but
Colin Bastable, chief executive at anti-phishing firm Lucy Security,
said banks like Capital Bank and their employees should be doing more
to detect potential phishing attacks in the aftermath of the incident.

“Capital One victims are going to be phished for years to come – long
after the 12 months’ credit monitoring is done,” explained Bastable in
an email statement. “The Dark Web probably knows more about most
people in North America than their governments will publicly admit to.
Employers need to protect themselves by ensuring that their employees
are security-aware.”

The suspect Thompson, who used the alias “erratic” in online
conversations, allegedly posted several times about the theft on
GitHub and on social media. One posting on a Twitter account with the
username “erratic” read: “I’ve basically strapped myself with a bomb
vest, f#cking dropping capital ones dox and admitting it.”

News of the Capital One breach comes after U.S. credit monitoring
agency Equifax last weekagreed to pay up to $700 million to settle a
similar incident that hit the company in 2017, affecting nearly 150
million customers.

Amazon, for its part, pointed to the admission of misconfiguration in
the court documents and the Capital One statement, with a spokesman
telling Bloomberg that Capital One’s data was not accessed through a
vulnerability in AWS systems.

“The Capital One breach is proof that companies have a lot to learn
when it comes to deploying security technology effectively,” said
James Hadley, CEO at Immersive Labs, via email. “From reading their
description of the breach, you would be forgiven for thinking it was
an elite hacker exploiting a vulnerability. In reality, as stated by
the FBI, it was simply a poorly configured firewall that allowed the
hacker in.”

Justin Fier, director of cyber-intelligence at Darktrace, echoed
Bastable’s warning and said that nabbing the perpetrator — should she
prove guilty — does not guarantee that the data has not already
reached the Dark Web. “In the new digital era, data is currency, and
when it falls into the wrong hands it can spread like wildfire
throughout the criminal community,” Fier added.