In a federal court criminal complaint filed yesterday, the Department of Justice alleges that Paige Thompson hacked into Capital One Financial Corporation’s cloud storage earlier this year and exfiltrated large volumes of Capital One’s consumer data.
The complaint paints a picture of an alleged hacker living up to the handle “erratic.” According to the complaint, on July 18 Ms. Thompson stated in a Twitter Direct Message “Ive basically strapped myself with a bomb vest, f***ing dropping capital ones dox and admitting it … I wanna distribute those buckets i think first … There ssns…with full name and dob”. Initial press reports indicate that Ms. Thompson, a 33 year old Seattle resident, has held a variety of software engineering jobs, including a stint at Amazon Web Services in 2015 and 2016, and that, per her resume, she is currently the owner of Netcrave Communications, a “hosting company.” Hmmmm.
These are early days for this breach investigation, and we’ll no doubt learn more as things unfold. But a key question will be, what does this breach tell us about the security of cloud-hosted data?
Early reports indicate that Capital One’s cloud host is Amazon Web Services, but that large enterprises such as Capital One build their own web applications on top of Amazon’s cloud platform. The complaint indicates that “a firewall configuration permitted commands to reach and be executed by [a] server, which enabled access to folders or buckets of data in Capital One’s [cloud] storage space ….” And Capital One’s website indicate that, upon its discovery of the hack, Capital One “immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement.”
This suggests that the security vulnerability was not the cloud provider’s, but rather was a vulnerability in configuration by the cloud customer entity. And, as noted in KrebsOnSecurity‘s post today, there may be other improperly secured Amazon cloud instances for other organizations. Time will tell. Certainly, cloud hosting by a reputable, security-conscious provider can bring with it many cyber security advantages, including patching hygiene and robust perimeter defenses. But the devil is in the details, and configurations of user overlays are a potential risk hot spot.