News Hub

Capital One breach affecting 106 million customers caused by misconfigured cloud storage

Written by Tue 30 Jul 2019

Scores of personal information including social security numbers, credit scores and balances were sitting on Github for weeks

A hacker gained access to personal information from more than 100 million Capital One credit applications in the US, the bank said as US federal authorities arrested a suspect in the case.

Paige A Thompson – who also goes by the name “erratic” -was charged with a single count of computer fraud and abuse in the US district Court in Seattle.

Thompson made an initial appearance in court and was ordered to remain in custody pending a detention hearing on Thursday.

The alleged hacker obtained information including credit scores and balances plus the social security numbers of about 140,000 customers, the bank said. Capital One will offer free credit monitoring services to those affected.

The FBI raided Thompson’s residence and seized digital devices. An initial search turned up files that referenced Capital One and “other entities that may have been targets of attempted or actual network intrusions”.

Breaking down the breach

The data breach is one of the largest targeting a big bank and occurred between March 12 and July 17.

Capital One, based in McLean, Virginia, said it found out about the vulnerability in its system on July 19 and immediately sought help from law enforcement to catch the perpetrator.

According to the FBI complaint, someone emailed the bank two days before that notifying it that leaked data had appeared on GitHub.

A month before that, the FBI said, a Twitter user who went by “erratic” sent another user direct messages warning about distributing the bank’s data, including names, birthdates and social security numbers. That user later reported the message to Capital One.

“Ive basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting it,” one said. “I wanna distribute those buckets i think first.”

Exactly what Thompson did with the data apart from sharing it online remains unclear. Capital One said it believes it is unlikely the information was used for fraud, but it will continue to investigate.

In total, the data breach affected about 100 million people in the US and 6 million in Canada. 140,000 social security numbers linked to 80,000 linked banked account numbers were stolen from US customers and 1 million Social Insurance Numbers were stolen from Capital One customers in Canada.

AWS storage

The data was stored on AWS S3 cloud storage and pertained to credit card applications and included addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income.

The bank said applications also included “credit card customer data” including credit scores, credit limits, balances, payment history, contact information and “fragments of transaction data.”

Capital One blamed the breach on an alleged hacker:

“We believe that a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure. When this was discovered, we immediately addressed the configuration vulnerability and verified there are no other instances in our environment,” the bank said in a statement.

However, it has since emerged that the hacker was able access the data as it was stored on a misconfigured AWS S3 cloud storage instance. Capital One has since quietly taken responsibility for failing to secure the instance, which needless to say is basic practice in cloud cyber security.

Other companies that have had data exposed via misconfigured AWS S3 instances include, Accenture, Verizon, and Veeam.

“When you trust your data on someone else’s servers, you inherently trust the people that company has hired as if you hired them yourself. We sign contracts for cloud and SaaS without batting an eye because of all the money we will save. But do we ever ask about the data centre administrators walking through the rows of computers hosting our data?” said Justin Fier, director of cyber intelligence at cybersecurity company Darktrace.

“I think this will wake companies up to evaluating the risks associated with cloud computing.”

Big bank breaches

Capital One Financial Corporation, the US’s seventh-largest commercial bank with 373.6 billion US dollars (£307 billion) in assets as of June 30, is the latest US company to suffer a major data breach in recent years.

In 2017, a data breach at Equifax, one of the major credit reporting companies, exposed the social security numbers and other sensitive information of roughly half of the US population.

Last week, Equifax agreed to pay at least 700 million dollars to settle lawsuits over the breach in a settlement with federal authorities and states. The agreement includes up to 425 million dollars in monetary relief to consumers.

Written by Tue 30 Jul 2019


AWS capital one cloud security cybersecurity data breach
Send us a correction Send us a news tip