There is a saying that we are our own worst enemy. While we may have the best intentions, at times we may create our own issues which act to our own detriment. This has been notable with a single use case. The focal point has been with AWS and misconfigured servers. This has created so many issues for the data owners and managers. The latest victim is Capital One due to its misconfigured AWS. This certainly won’t be the last incident through the industry.
To note this was massive would be an understatement. This is one of the biggest data breaches involving a financial services company. There were 106M persons involved. The affected persons were not only in the US, however, were also located in Canada. The breach was open for an extended period of time, from March 19 through July 17, 2018.
The focal point for the attack were the cloud servers rented from AWS. There was an issue with the cloud configuration. The attack was exceptionally successful due to a misconfigured WedApp firewall. The attackers used a special command to extract the files in the Capital One AWS. Oddly, on June 16, 2019 the attacker posted on Twitter exactly how it was done. This was a very odd event. Generally, if you are going to gain unauthorized entry, you don’t want everyone to know exactly who you are. In this case, the attacker did just this.
The data was related to credit card applications filed between 2005 and early 2019. This is a rather large set of time to exfiltrate data for. The attacker accessed credit applications, social security numbers (approximately 40k in the US and 1M Canada social insurance numbers), bank account numbers (approximately 80k), names, addresses, dates of birth, and financial information (e.g. self-reported credit scores). Fortunately no credit card account numbers or logins were exposed in the breach. Altogether, the total amount of data was approximately 30GB. Somehow, the attacker was able to exfiltrate this data over months, without anyone or an app examining the login or data access for an extended period.
The FBI has arrested a person in this case. The speedy arrest was greatly due to the attacker letting everyone know who they are, and not trying to hide anything. The attacker previously worked as an Amazon Web services (AWS) engineer. The attacker’s name of record is Paige A. Thompson. Given her lack of intuitiveness, she is certainly a nominee for the Darwin Award. She bragged about the breach and crime on GitHub and social media. She tried to share the data online and not on the DarkWeb. To top off the award nomination, she used her full first, middle, and last name. She also stored the data in a GitHub account for the user “Netcrave”. The GitHub site also happened to have Paige’s resume (oops). She also used the alias “erratic”.
The criminal complaint was filed in the Western District of Washington. The hearing was on August 1, 2019. To further support the allegation with yet more evidence, the FBI executed a search warrant and seized electronic storage devices. The storage devices contained a copy of the data.
The AWS configuration has been corrected. They stated it was not likely the data was used fraudulently. It is very easy to state this, but exceptionally difficult to guaranty. They did promise to provide 12 months of credit monitoring for affected parties. They also are recommending for the affected parties to watch for phishing emails.
Corcoran, J. (2019, July 30). Former AWS engineer arrested as capital one admits massive data breach. Retrieved from https://threatpost.com/aws-arrest-data-breach-capital-one/146758/
Krebs, B. (2019, July 19). Capital one data theft impacts 106M people. Retrieved from https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/
McLean, R. (2019, July 30). A hacker gained access to 100 million capital one credit card applications and accounts. Retrieved from https://www.cnn.com/2019/07/29/business/capital-one-data-breach/index.html
U.S. Attorney’s Office. (2019, July 29). Seattle tech worker arrested for data theft involving large financial services company. Retrieved from https://www.justice.gov/usao-wdwa/pr/seattle-tech-worker-arrested-data-theft-involving-large-financial-services-company
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!