This article originally appeared in TechNewsWorld on July 31, 2019.
Capital One Financial Corporation on Monday announced a data breach affecting some 100 million people in the United States and another 6 million in Canada. The FBI arrested the alleged perpetrator of the breach in Seattle.
Capital One on July 19 discovered someone had accessed its data stored online and obtained personal information of credit card customers and people who had applied for credit card products.
No credit card account numbers or log-in credentials were compromised in the breach, which is believed to have lasted for nearly five months — from March 12 to July 17, the company said.
However, the intruder accessed 140,000 Social Security numbers and 80,000 bank account numbers belonging to secured credit cared customers. Secured credit cards are issued to people who have no-credit or low-credit ratings.
Based on its analysis to date, Capital One believes it is unlikely that the information was used in any widespread attacks.
“It appears that the breach was discovered before the alleged hacker had a chance to widely disseminate the information for exploit,” said former FBI agent Leo Taddeo, now CISO of Cyxtera Technologies, a secure infrastructure platform provider based in Coral Gables, Florida.
“So, if no additional hackers had access to the same entry point, there is a chance the breach was contained,” he told TechNewsWorld.
Affected people will be notified through a variety of channels, the company said, and free credit monitoring and identity protection services will be made available to everyone impacted by the event.
The company expects to incur costs related to the breach of US$100 million to $150 million in 2019.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Capital One CEO Richard D. Fairbank said. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
While Fairbank was apologizing for the data breach, the FBI was busy arresting Paige A. Thompson, 33, a former Amazon software engineer, for the Capital One breach.
Thompson was identified as the alleged perpetrator after she bragged on GitHub about stealing Capital One’s data, according to a criminal complaint filed in federal court in Seattle. GitHub is the largest website in the world for developers.
Thompson said she accessed the data by exploiting a misconfigured firewall set up to protect the data stored in the Amazon Web Services cloud.
A GitHub user who saw Thompson’s comments alerted Capital One. Capital One alerted the FBI, which obtained a search warrant for Thompson’s residence. There the agents seized electronic storage devices containing a copy of Capital One’s data.
Thompson will face charges of computer fraud and abuse, punishable by up to five years in prison and a $250,000 fine.
In this case, Capital One appears to have been lucky.
“This attacker was careless and boastful. Most hackers trying to promote their own skills will get caught,” said Satya Gupta, CTO of Virsec, an applications security company in San Jose, California.
“It’s more disturbing that the hacker was not noticed by either Capital One or AWS, who employed her. They had no clue until after the fact,” he told TechNewsWorld.
“For Capital One, it was fortuitous that the individual who alerted them to the breach seems to have been one of ‘the good guys.'” Cyxtera’s Taddeo added.
Nevertheless, there still may be cause for concern, noted Arjun Sethi, a partner and vice chair of the digital transformation practice at A.T. Kearney, a global strategy and management consulting firm based in Chicago.
Regarding the vulnerable Web app, “we don’t know if that vulnerability was compromised by prior intruders, or if the data exposed in the current attack was left open for others to leverage,” he told TechNewsWorld.
A Common Snafu
Botching a firewall setup is a frequent issue in network security, noted Usman Rahim, digital security and operations manager at The Media Trust, a mobile and website application security company in McLean, Virginia.
“Companies routinely manipulate firewall configuration in order to achieve the desired results at any legitimate point where the Web application can be accessed. However, in the process they run the risk of misconfiguring the firewall,” he told TechNewsWorld.
“Sophisticated attackers know full well how services operate in the cloud, including the common mistakes around firewall configuration,” Rahim said.
The misconfigured firewall permitted unauthorized access to Capital One’s data, but the inability to detect the issue for months also was an issue, observed Terence Jackson, chief information security officer at Thycotic, a maker of enterprise password management software based in Washington, D.C.
“Dwell time has been an issue in other high-profile breaches as well,” he told TechNewsWorld. “Companies must continuously audit configurations of these cloud services to ensure gaps like these are closed.”
From a technical point of view, Amazon’s cloud is very difficult to breach, noted Taddeo.
“Nearly all breaches where AWS is involved are a result of human error or intent, rather than a technical exploit,” he said.
“Based on what we know, I’d wager the firewall misconfiguration was more likely a result of malicious insider action — the alleged hacker taking advantage of privileges she shouldn’t have had,” Taddeo speculated. “Still, if it’s a result of a true misconfiguration, the fact remains that we’re all still vulnerable to the mistakes that people can make, even skilled security practitioners.”
No Gloom for Cloud
Critics of cloud migration may use the Capital One breach to bolster their position that the public cloud is unsafe for critical data, but that would be a mistake, asserted Richard Gold, head of security engineering at Digital Shadows, a San Francisco-based provider of digital risk protection solutions.
“This isn’t a doom-and-gloom scenario for the cloud,” he told TechNewsWorld.
“Attacks like this underscore the need to know your cloud environment very well, but the misconfiguration that the attacker took advantage of was probably preventable, the result of human error,” Gold continued,
“The ability of Capital One to respond so quickly was partly due to the instrumentation provided by AWS,” he said. “People need to be proactive about checking their cloud environments to ensure that security groups, networks, and so forth are configured in the way that they are expected to be.”
Consumers also may want to be proactive, in light of the Capital One breach. It’s a good idea to review password usage and avoid using passwords more than once. Monitoring credit and financial transactions for a while also might be a valuable exercise.
“The No. 1 thing consumers should do to protect their identities is to freeze their credit by contacting Equifax, Experian and TransUnion. It’s free, quick and easy. You can do it online or over the phone,” advised Ted Rossman, industry analyst at Creditcards.com in Austin, Texas.
“This is the best way to prevent a criminal from opening an unauthorized account in your name,” he told TechNewsWorld. “Unfortunately, only about one in four U.S. adults have frozen their credit.”