weerapat1003 - stock.adobe.com

Former AWS engineer arrested for Capital One data breach

Capital One announces data breach affecting more than 100 million customers as US federal authorities arrest a Seattle woman formerly employed by Amazon Web Services

Capital One has revealed a data breach affecting 100 million US customers and a further six million in Canada as Federal Bureau of Investigation (FBI) officers arrested a suspect.

The US Justice Department said Paige Thompson, 33, a former Seattle technology company software engineer, was arrested on 29 July and charged with computer fraud and abuse for allegedly hacking into the financial firm’s data.

Thompson appeared briefly in the Seattle District Court and was ordered to be detained pending a hearing on 1 August, according to Reuters.

According to Capital One, the breach of personal data contained in credit applications was discovered on 19 July 2019, two days after it was alerted to the configuration vulnerability by an external security researcher through the company’s responsible disclosure programme.

Capital One said it immediately fixed the “configuration vulnerability” exploited by the hacker, augmented routine scanning to look for this issue on a continuous basis, and promptly began working with federal law enforcement.

“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” the company said in a statement. “However, we will continue to investigate.”

According to Capital One, no credit card account numbers or log-in credentials were compromised and “over 99% of social security numbers” were not compromised.

The largest category of information accessed related to consumers and small businesses when they applied for credit card products between 2005 and early 2019, said the company.

This information included names, addresses, postal codes, phone numbers, email addresses, dates of birth, and self-reported income.

Exposed data also included credit scores, credit limits, balances, payment history, contact information, fragments of transaction data from 23 days during 2016, 2017 and 2018, and about 140,000 social security numbers.

However, Capital One said about one million social insurance numbers for Canadian customers were compromised.

“We will notify affected individuals through a variety of channels,” it said. “We will make free credit monitoring and identity protection available to everyone affected.”

Capital One said it had invested heavily in cyber security and would continue to do so. “We will incorporate the learnings from this incident to further strengthen our cyber defences,” it added.

Although Capital One encrypts data as a standard, the company said that “due to the particular circumstances of this incident, the unauthorised access also enabled the decrypting of data”. However, it added that it also applies tokenisation to selected fields, including social security numbers and account numbers.

Tokenisation involves the substitution of the sensitive field with a cryptographically generated replacement,” it said. “The method and keys to unlock the tokenised fields are different from those used to encrypt the data. Tokenised data remained protected.”

Capital One said the speed with which the vulnerability was diagnosed and fixed, and its impact determined, was enabled by its cloud operating model.

Despite the speed of the resolution, Capital One expects the financial impact of the breach to be between $100m and $150m in 2019 because of costs associated with customer notifications, credit monitoring, technology costs, and legal support.

However, it said it carries insurance of up to $400m to cover certain costs associated with a cyber risk event, but noted that the “timing of recognition of costs may differ from the timing of recognition of any insurance reimbursement”.

Read more about cloud security

Igor Baikalov, chief scientist at cyber security firm Securonix, said the incident highlights the importance of paying attention to security in the cloud context.

“The perpetrator of this breach was identified unusually quickly and turned out to be a former employee of AWS [Amazon Web Services], a cloud computing company contracted by Capital One,” according to Bloomberg.

“Capital One is a standout in the financial institutions community by going public cloud while most of its peers hedged the risk by implementing additional security controls around their private clouds. This fact alone should not be considered a setback for the adoption of public cloud. It should, rather, be viewed as another harsh reminder of the importance of third-party security and insider threat programmes for both providers and consumers of public cloud services.”

The Bloomberg report quoted an AWS spokesman as saying Capital One’s data was not accessed through a breach or vulnerability in AWS systems and noted that court papers cited a misconfigured firewall as enabling the unauthorised access.

The Capital One breach is an example of vulnerabilities of the cloud converging with the constant risks of insider threat, according to Justin Fier, director of cyber intelligence at security firm Darktrace.

“Only in this case it was a secondary insider as the threat came from a provider,” he said. “What will this do to the B2B market if we can’t trust the employees and procedures done by our partners?

“When you trust your data on someone else’s servers, you inherently trust the people that company has hired as if you had hired them yourself. We sign contracts for cloud and SaaS [software as a service] without batting an eyelid because of all the money we will save. But do we ever ask about the datacentre administrators walking through the rows of computers hosting our data? We inherently trust them. Why?

“Cloud is not going anywhere and this event, in particular, is not going to make everyone dust off their NAS [network-attached storage] boxes and come back to on-prem, but I think this will wake companies up to evaluating the risks associated with cloud computing.”

Fier added: “Although the perpetrator has already been caught, that doesn’t mean that the impacts of this data breach have been prevented. Looking at the timeline of when she had access, this information is likely to already be on the dark web. In the new digital era, data is currency, and when it falls into the wrong hands, it can spread like wildfire throughout the criminal community.”

Colin Bastable, CEO at anti-phishing firm Lucy Security said: “At last, tokenisation is deployed, doing what it is supposed to do. Good job, Capital One – more please!”

But Bastable said all those affected by the breach and their employers should ensure that they know how to spot a phishing attack. “The dark web probably knows more about most people in North America than their governments will publicly admit to,” he said. “Employers need to protect themselves by ensuring that their employees are security aware.”

Read more on Hackers and cybercrime prevention