Capital One-Yet Another Breach
Charles Parker, II
#
There is a saying that we are our own worst enemy. While we
may have the best intentions, at times we may create our own issues which act
to our own detriment. This has been notable with a single-use case. The focal
point has been with AWS and misconfigured servers. This has created so many
issues for the data owners and managers. The latest victim is Capital One due
to its misconfigured AWS. This certainly won’t be the last incident through the
industry.
Breach
To note this was massive would be an understatement. This is
one of the biggest data breaches involving a financial services company. There were
106M persons involved. The affected persons were not only in the US, however,
were also located in Canada. The breach was open for an extended period of
time, from March 19 through July 17, 2018.
Method
The focal point for the attack was the cloud servers rented
from AWS. There was an issue with the cloud configuration. The attack was
exceptionally successful due to a misconfigured WedApp firewall. The attackers
used a special command to extract the files in the Capital One AWS. Oddly, on
June 16, 2019, the attacker posted on Twitter exactly how it was done. This was
a very odd event. Generally, if you are going to gain unauthorized entry, you
don’t want everyone to know exactly who you are. In this case, the attacker did
just this.
Data
The data was related to credit card applications filed
between 2005 and early 2019. This is a rather large set of time to exfiltrate
data for. The attacker accessed credit applications, social security numbers (approximately
40k in the US and 1M Canada social insurance numbers), bank account numbers
(approximately 80k), names, addresses, dates of birth, and financial
information (e.g. self-reported credit scores). Fortunately, no credit card
account numbers or logins were exposed in the breach. Altogether, the total
amount of data was approximately 30GB. Somehow, the attacker was able to
exfiltrate this data over months, without anyone or an app examining the login
or data access for an extended period.
Perpetrator
The FBI has arrested a person in this case. The speedy
arrest was greatly due to the attacker letting everyone know who they are, and
not trying to hide anything. The attacker previously worked as an Amazon Web
services (AWS) engineer. The attacker’s name of record is Paige A. Thompson.
Given her lack of intuitiveness, she is certainly a nominee for the Darwin
Award. She bragged about the breach and crime on GitHub and social media. She
tried to share the data online and not on the DarkWeb. To top off the award
nomination, she used her full first, middle, and last name. She also stored the
data in a GitHub account for the user “Netcrave”. The GitHub site also happened
to have Paige’s resume (oops). She also used the alias “erratic”.
The criminal complaint was filed in the Western District of
Washington. The hearing was on August 1, 2019. To further support the
allegation with yet more evidence, the FBI executed a search warrant and seized
electronic storage devices. The storage devices contained a copy of the data.
Mitigation
The AWS configuration has been corrected. They stated it was
not likely the data was used fraudulently. It is very easy to state this, but
exceptionally difficult to guaranty. They did promise to provide 12 months of
credit monitoring for affected parties. They also are recommending for the
affected parties to watch for phishing emails.
Resources
Corcoran, J. (2019, July 30). Former AWS engineer arrested
as capital one admits massive data breach. Retrieved from https://threatpost.com/aws-arrest-data-breach-capital-one/146758/
Krebs, B. (2019, July 19). Capital one data theft impacts
106M people. Retrieved from https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/
McLean, R. (2019, July 30). A hacker gained access to 100
million capital one credit card applications and accounts. Retrieved from https://www.cnn.com/2019/07/29/business/capital-one-data-breach/index.html
U.S. Attorney’s Office. (2019, July 29). Seattle tech worker
arrested for data theft involving large financial services company. Retrieved
from https://www.justice.gov/usao-wdwa/pr/seattle-tech-worker-arrested-data-theft-involving-large-financial-services-company
No comments:
Post a Comment