Capital One revealed that it has been the target of a criminal data theft involving the personal information of more than 100 million individuals—putting it in the top 10 largest data breaches to date and making it one of the largest banking data breaches in history. The investigation is still in its early stages, but regardless of what we learn about how and why the breach occurred, this attack reinforces our belief that any company—regardless of size—can be a victim of a cyber attack. It also highlights the importance of cross-platform visibility and constant vigilance.
What We Know about the Capital One Data Breach
According to a statement issued by Capital One, the data breach affected approximately 100 million individuals in the United States, and about 6 million in Canada. Capital One states that most of the data accessed was from consumer and small business credit card applications from 2005 through 2019. The compromised information includes names, addresses, zip codes, phone numbers, email addresses, dates of birth, and self-reported income. Capital One believes there were about 140,000 Social Security numbers and 80,000 bank account numbers exposed in the breach.
The statement explains, “Capital One immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible and that person is in custody. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.”
The FBI has arrested the alleged attacker. Paige Thompson is a Seattle-based software engineer who was an employee of AWS from 2015 to 2016.
An AWS spokesperson told CNBC, “AWS was not compromised in any way and functioned as designed. The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure ... this type of vulnerability is not specific to the cloud.”
Capital One was not aware of the ongoing breach until notified by a third party. Paige had been boasting of the data breach in an online forum when a Github user reached out to Capital One to alert them that they may have a misconfigured S3 bucket that was leaking data.
Configuration Errors, Insider Threats, and Constant Vigilance
Unlike traditional system and service security, cloud security is based on a shared responsibility model. The cloud provider (in this case AWS) is responsible for the security of the underlying enabling infrastructure, keeping it securely deployed and up-to-date. It’s common to view this as securing the infrastructure from the concrete through the hypervisor. Complementing this security, the customer (in this case Capital One) is responsible for the secure configuration, monitoring, and patching of the workloads and data they use on the cloud platform.
It is common for organizations, when moving to the cloud, to mistake the solid security of the cloud-provided infrastructure as a substitute for providing their own protection within the cloud, leaving themselves exposed to workload and application layer attacks. It’s also fairly common for companies to accidentally leave data exposed through poor security—regardless of whether the data is stored locally or in the cloud. If the data breach is, in fact, the result of poorly configured security on an S3 bucket, that is an issue that Capital One is responsible for.
This is why consistent and constant vigilance is needed. AWS is a solid infrastructure with great security, but those workloads bring with them all the native risks they would have presented while running on legacy infrastructure. Capital One is a large financial institution that invests significant resources to secure and protect company and customer data, but mistakes still happen. The moral of the story is that regardless of the strength of the infrastructure or the cybersecurity tools and processes in place, humans will be humans. You need to monitor continuously to detect configuration errors and suspicious activity, whether they are inadvertent or the result of intentional unethical activity.
Ultimately, Capital One is the company entrusted with the data and Capital One is responsible for protecting it. The threat landscape and population of threat actors is constantly shifting and growing; people—whether intentionally or inadvertently—will expose an organization to risk. This data breach proves the importance of understanding your role in the shared responsibility model, and for continuous monitoring vigilance to detect and respond to cybersecurity issues before this kind of damage happens.