pickpocket stealing walletIn a federal court criminal complaint filed yesterday, the Department of Justice alleges that Paige Thompson hacked into Capital One Financial Corporation’s cloud storage earlier this year and exfiltrated large volumes of Capital One’s consumer data.

The complaint paints a picture of an alleged hacker living up to the handle “erratic.”  According to the complaint, on July 18 Ms. Thompson stated in a Twitter Direct Message “Ive basically strapped myself with a bomb vest, f***ing dropping capital ones dox and admitting it … I wanna distribute those buckets i think first … There ssns…with full name and dob”.  Initial press reports indicate that Ms. Thompson, a 33 year old Seattle resident, has held a variety of software engineering jobs, including a stint at Amazon Web Services in 2015 and 2016, and that, per her resume, she is currently the owner of Netcrave Communications, a “hosting company.”  Hmmmm.

Per the complaint, Capital One indicates that the compromised data was primarily related to credit card applications, with only some of the data tokenized or encrypted.  The complaint further alleges that, according to Capital One, data from tens of millions of applications may have been accessed, including approximately 120,000 Social Security numbers and 77,000 bank account numbers.
As of today, Capital One’s website states that the hack “affected approximately 100 million individuals in the United States and approximately 6 million in Canada. … Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised. … The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
Capital One further states that the hack compromised information beyond credit card application data, including: “[c]ustomer status data, e.g., credit scores, credit limits, balances, payment history, contact information” and “[f]ragments of transaction data from a total of 23 days during 2016, 2017 and 2018.”  According to Capital One, “[a]bout 140,000 Social Security numbers of our credit card customers” were compromised, along with “[a]bout 80,000 linked bank account numbers of our secured credit card customers.”  Capital One adds that “[f]or our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.”

These are early days for this breach investigation, and we’ll no doubt learn more as things unfold.  But a key question will be, what does this breach tell us about the security of cloud-hosted data?

Early reports indicate that Capital One’s cloud host is Amazon Web Services, but that large enterprises such as Capital One build their own web applications on top of Amazon’s cloud platform.  The complaint indicates that “a firewall configuration permitted commands to reach and be executed by [a] server, which enabled access to folders or buckets of data in Capital One’s [cloud] storage space ….”  And Capital One’s website indicate that, upon its discovery of the hack, Capital One “immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement.”

This suggests that the security vulnerability was not the cloud provider’s, but rather was a vulnerability in configuration by the cloud customer entity.  And, as noted in KrebsOnSecurity‘s post today, there may be other improperly secured Amazon cloud instances for other organizations.  Time will tell.  Certainly, cloud hosting by a reputable, security-conscious provider can bring with it many cyber security advantages, including patching hygiene and robust perimeter defenses.  But the devil is in the details, and configurations of user overlays are a potential risk hot spot.