Another massive data breach has struck the US financial sector: This time it's Capital One, which has officially confirmed a breach affecting about 100 million Americans and 6 million Canadians.
On July 29, 2019, the bank and credit card issuer reported an unauthorized intruder had gained access to several types of personal information belonging to Capital One credit card customers and people who had applied for credit cards between 2005 and early 2019. The FBI has arrested and charged one suspect, who is now in custody.
Most of the compromised information belonged to small businesses and consumers who had applied for credit cards. This included applicants' names, addresses, ZIP codes and postal codes, phone numbers, email addresses, birth dates, and self-reported income. Beyond application data, the intruder obtained portions of credit card customer information, including "status data" such as credit scores and limits, balances, payment history, and contact info. The breach also exposed pieces of transaction data from 23 days during 2016, 2017, and 2018, Capital One said in a statement.
About 140,000 Social Security numbers (SSNs) belonging to Capital One credit card customers were accessed, as well as 80,000 linked bank accounts of secured credit card customers. The attacker was able to obtain approximately 1 million Social Insurance numbers from Canadian users. Credit card numbers and login credentials were not exposed in the breach, officials report.
The unauthorized access took place on March 22-23, 2019, when Capital One says "a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure." An external security researcher reported the bug to Capital One via its Responsible Disclosure Program on July 17, 2019. The bank launched an internal investigation, which led to the discovery of this breach on July 19 and the public announcement on July 29.
Capital One stores its data in the cloud; reports indicate the attacker was able to exploit a weakness in a misconfigured web application firewall to gain access to the files stored in an Amazon Web Services (AWS) database. The bank "immediately addressed" the bug and verified there are no other instances in its environment. It altered its automated scanning to regularly look for this issue.
"This incident underscores that every component added to an organization's IT environment — even security components — can add to the attack surface and become an entry point for attackers," says Bob Rudis, chief data scientist at Rapid7. While banks have improved their ability to scan for bugs, implement access controls, and improve their overall security posture, it only takes one mistake to leave them exposed to a breach like this one.
The bank encrypts its data as a standard; however, due to the circumstances of this breach, the unauthorized access also enabled data decryption. It's also Capital One's practice to tokenize certain data fields, particularly SSNs and account numbers. Tokenized data remained protected.
About the Suspect
The FBI has arrested Paige Thompson, former software engineer with AWS, and charged her with violation of the Computer Fraud and Abuse Act. Thompson, known online under the pseudonym "erratic," will appear at a hearing on August 1.
The criminal complaint states that after Thompson stole the data from Capital One servers, she posted about it on GitHub. A GitHub user who saw her posts alerted Capital One, which contacted the FBI after confirming a breach. On July 29, agents appeared at Thompson's home with a search warrant and seized electronic storage devices containing a copy of the data.
In examining the GitHub file, Capital One determined the firewall misconfiguration allowed commands to reach and be executed by the server, which enabled an attacker to access folders or buckets of data in the bank's storage space, the criminal complaint says . Computer logs showed connections between the bank's AWS folders and the intruder, using the firewall bug.
Capital One believes it's unlikely Thompson used the data for fraud or disseminated it.
What You Should Do
Capital One will notify affected customers "through a variety of channels," the company says. It plans to make free credit monitoring and identity protection available to those affected. That said, security experts strongly urge account holders to be cautious and monitor their accounts.
"While it looks like all the appropriate measures have been taken to mitigate the risk of fraud, Capital One customers should continue to be extremely vigilant," says Leigh-Anne Galloway, Positive Technologies' cybersecurity resilience lead. "Keep an eye on your bank accounts and any other connected accounts such as email addresses and immediately flag any suspicious activity to authorities or Capital One."
Even if all the compromised data has been secured and accounted for, she adds, cybercriminals may still try to capitalize on this breach by sending phishing emails posing as bank officials or authorities. Victims should treat any incoming communication with suspicion.
As for businesses storing information in the cloud, security experts advise taking a closer look at security controls and processes related to protecting data in the cloud: "Organizations should regularly take an inventory of both what they've attached to their perimeter network(s) and — especially — regularly review the configurations of these components to ensure they are providing the minimum access necessary to facilitate key business processes," says Rudis, who also advises scheduling regular penetration tests to ensure systems aren't exposed.
Cloud security "can sometimes be less forgiving" given the power and magnitude of its storage and processing powers, adds BlackCloak CEO Dr. Chris Pierson. Data stores of the past were smaller and more distributed; today's cloud instances present new challenges. "Given the changed dynamics of cloud environments, security and infrastructure teams must be able to continually monitor, scan, and protect the data they have and hold," he says.
While many major cloud providers are building stronger security into their offerings, it's still the business's responsibility to handle risk management, monitoring, backups, and maintenance. Given that Capital One's cloud software was not properly configured, it should be a warning to businesses to ensure security teams are trained and alerted to the danger of small issues like these having big consequences.
Capital One estimates this data breach will cost about $100 million to $150 million in 2019, with costs primarily driven by customer notifications, credit monitoring, technology, and legal support. That said, it could end up costing far more: Equifax, the credit reporting giant that suffered a data breach affecting 147 million people in 2017, will pay up to $700 million in damages.