The news about Capital One’s recent data breach is unlike most other data breaches in that the hacker has been identified. Many now know Paige Thompson, the 33 year old ex-Amazon worker who detailed her exploits on Twitter and Slack. While it’s interesting exploring the mental state of a hacker, finding out how a financial service company like Capital One can expose itself to attack is even more interesting.
In a press statement, Capital One called the vulnerability that Thompson exploited a configuration vulnerability. There are various configuration vulnerabilities and AWS may have a particular set of vulnerabilities that have yet to be publicly documented. Thompson, in particular was a former AWS employee and so would have had inside knowledge about how one could exploit credential vulnerabilities in AWS. Ray Watson, a security researcher for Masergy, explained how Thompson could have gained access to Capital One’s data. “She allegedly used web application firewall credentials to obtain privilege escalation. Also the use of Tor and an offshore VPN for obfuscation are commonly seen in similar data breaches.” He made the conclusion that this was the modus operandi for data data breaches.
There isn’t much detail about the exploit itself beyond the generic fact that Thompson escalated privileges by exploiting a configuration vulnerability. The question is, who is to blame? Hackers will always exist and web servers can’t always babysit every company. In this case, Capital One is culpable here in that a configuration vulnerability can be monitored and easily fixed if security is a top priority. Knowing that servers are just a configuration error away from being exposed to hackers, regular checks should’ve taken place to test for insecure configurations. It’s alarming that Capital One had to be tipped off before they discovered that the sensitive data of over 100 million users was publicly available online. Though, to credit Capital One, they immediately responded with a fix.
In this case, Capital One was fortunate that the hacker did not appear to use the data in any malicious way. According to Capital One, “it is unlikely that the information was used for fraud or disseminated by this individual.” The information Thompson collected includes:
- “Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information”
- “40,000 Social Security numbers of [Capital One’s] credit card customers”
- “80,000 linked bank account numbers of [Capital One’s] secured credit card customers”
- 1 million Canadian Social Insurance Numbers
Though Capital One claims that “no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised,” there are still plenty of affected users. 106 million, to be exact. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right,” said Capital One CEO Richard Fairbank. Making it right means providing free credit monitoring and identity protection.