Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/30/2019
02:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Capital One Breach Affects 100M US Citizens, 6M Canadians

The breach exposed credit card application data, Social Security numbers, and linked bank accounts, among other information.

Another massive data breach has struck the US financial sector: This time it's Capital One, which has officially confirmed a breach affecting about 100 million Americans and 6 million Canadians.

On July 29, 2019, the bank and credit card issuer reported an unauthorized intruder had gained access to several types of personal information belonging to Capital One credit card customers and people who had applied for credit cards between 2005 and early 2019. The FBI has arrested and charged one suspect, who is now in custody.

Most of the compromised information belonged to small businesses and consumers who had applied for credit cards. This included applicants' names, addresses, ZIP codes and postal codes, phone numbers, email addresses, birth dates, and self-reported income. Beyond application data, the intruder obtained portions of credit card customer information, including "status data" such as credit scores and limits, balances, payment history, and contact info. The breach also exposed pieces of transaction data from 23 days during 2016, 2017, and 2018, Capital One said in a statement.

About 140,000 Social Security numbers (SSNs) belonging to Capital One credit card customers were accessed, as well as 80,000 linked bank accounts of secured credit card customers. The attacker was able to obtain approximately 1 million Social Insurance numbers from Canadian users. Credit card numbers and login credentials were not exposed in the breach, officials report.

The unauthorized access took place on March 22-23, 2019, when Capital One says "a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure." An external security researcher reported the bug to Capital One via its Responsible Disclosure Program on July 17, 2019. The bank launched an internal investigation, which led to the discovery of this breach on July 19 and the public announcement on July 29.

Capital One stores its data in the cloud; reports indicate the attacker was able to exploit a weakness in a misconfigured web application firewall to gain access to the files stored in an Amazon Web Services (AWS) database. The bank "immediately addressed" the bug and verified there are no other instances in its environment. It altered its automated scanning to regularly look for this issue.

"This incident underscores that every component added to an organization's IT environment — even security components — can add to the attack surface and become an entry point for attackers," says Bob Rudis, chief data scientist at Rapid7. While banks have improved their ability to scan for bugs, implement access controls, and improve their overall security posture, it only takes one mistake to leave them exposed to a breach like this one.

The bank encrypts its data as a standard; however, due to the circumstances of this breach, the unauthorized access also enabled data decryption. It's also Capital One's practice to tokenize certain data fields, particularly SSNs and account numbers. Tokenized data remained protected.

About the Suspect
The FBI has arrested Paige Thompson, former software engineer with AWS, and charged her with violation of the Computer Fraud and Abuse Act. Thompson, known online under the pseudonym "erratic," will appear at a hearing on August 1.

The criminal complaint states that after Thompson stole the data from Capital One servers, she posted about it on GitHub. A GitHub user who saw her posts alerted Capital One, which contacted the FBI after confirming a breach. On July 29, agents appeared at Thompson's home with a search warrant and seized electronic storage devices containing a copy of the data.

In examining the GitHub file, Capital One determined the firewall misconfiguration allowed commands to reach and be executed by the server, which enabled an attacker to access folders or buckets of data in the bank's storage space, the criminal complaint says . Computer logs showed connections between the bank's AWS folders and the intruder, using the firewall bug.

Capital One believes it's unlikely Thompson used the data for fraud or disseminated it.

What You Should Do
Capital One will notify affected customers "through a variety of channels," the company says. It plans to make free credit monitoring and identity protection available to those affected. That said, security experts strongly urge account holders to be cautious and monitor their accounts.

"While it looks like all the appropriate measures have been taken to mitigate the risk of fraud, Capital One customers should continue to be extremely vigilant," says Leigh-Anne Galloway, Positive Technologies' cybersecurity resilience lead. "Keep an eye on your bank accounts and any other connected accounts such as email addresses and immediately flag any suspicious activity to authorities or Capital One."

Even if all the compromised data has been secured and accounted for, she adds, cybercriminals may still try to capitalize on this breach by sending phishing emails posing as bank officials or authorities. Victims should treat any incoming communication with suspicion.

As for businesses storing information in the cloud, security experts advise taking a closer look at security controls and processes related to protecting data in the cloud: "Organizations should regularly take an inventory of both what they've attached to their perimeter network(s) and — especially — regularly review the configurations of these components to ensure they are providing the minimum access necessary to facilitate key business processes," says Rudis, who also advises scheduling regular penetration tests to ensure systems aren't exposed.

Cloud security "can sometimes be less forgiving" given the power and magnitude of its storage and processing powers, adds BlackCloak CEO Dr. Chris Pierson. Data stores of the past were smaller and more distributed; today's cloud instances present new challenges. "Given the changed dynamics of cloud environments, security and infrastructure teams must be able to continually monitor, scan, and protect the data they have and hold," he says.

While many major cloud providers are building stronger security into their offerings, it's still the business's responsibility to handle risk management, monitoring, backups, and maintenance. Given that Capital One's cloud software was not properly configured, it should be a warning to businesses to ensure security teams are trained and alerted to the danger of small issues like these having big consequences. 

Capital One estimates this data breach will cost about $100 million to $150 million in 2019, with costs primarily driven by customer notifications, credit monitoring, technology, and legal support. That said, it could end up costing far more: Equifax, the credit reporting giant that suffered a data breach affecting 147 million people in 2017, will pay up to $700 million in damages.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Quaker69
50%
50%
Quaker69,
User Rank: Apprentice
8/6/2019 | 12:57:25 PM
Re: Cost Aptly put, but I would say instead
"Who's in your wallet?"
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/1/2019 | 7:58:53 AM
Re: Sophisticated?
Man I agree with you, they saw a firewall rule on the ACL list that pointed to a TOR site. I mean how obvious can it be. In addition, she was an ex programmer who was directly involved with the project. All you have to do is whittle it down, who worked on the project, who left, who was disgruntled and who had full access to the private/secret keys? There you go - Paige Thompson.

The Geek wire stated this:
100 million people in the U.S. and 6 million people in Canada were affected in total.

 I do understand Canada was affected, but we are talking apples to oranges here when we look at the sheer number, this is astounding.

This is what CapitalOne said:
Capital One said it is "unlikely that the information was used for fraud or disseminated by this individual." No credit card account numbers or log-in credentials were compromised.

To your point, this is "Hog Wash", lol. The marketing team is working their hardest to try and clean this up, but seriously, whoever has this data and this data was on a TOR site, they are looking for "black market" purchasers to buy this data, it may not be now, but it is a matter of time, she is just the fall person.

By the way, this is what she said (Dummy):




Soper did a great job in reporting - CapitalOne Reporting

But to your point, people talk too much, she was over her head.

T
lunny
50%
50%
lunny,
User Rank: Strategist
7/31/2019 | 6:36:30 PM
Sophisticated?
Capital One says "a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure." - Horse waste!!!  The attacker was a rank amateur.  She didn't cover her tracks well at all, despite using tools designed to do just that.  Capital One was clueless until they received an email from a good guy.  How many bad guys copied the data from this woman's trove on Github in the meantime?  She made no secret of having it and there were likely many opportunities for bad guys who are better/smarter/faster to get at the data.  Capital One would still be bleeding today and have no idea it was happening had this been an attacker with real skill who could keep his or her mouth shut.

As to the cost, I think Capital One is going to find the fines and costs they can expect to pay will exceed those of Equifax.  People, and politicians, are getting real tired of this.  And while Canadians are real nice folks, they get pretty riled up about this kind of thing.  They'll be fining the undershorts off of Capitol One too.

Manage your privileged account passwords, folks.  And use MFA.  This is so freaking simple.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/31/2019 | 9:20:54 AM
Re: Cost
In a nutshell:  What's in your wallet?  (Nothing after I get through with it) 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/30/2019 | 9:58:51 PM
Cost
Capital One estimates this data breach will cost about $100 million to $150 million in 2019, with costs primarily driven by customer notifications, credit monitoring, technology, and legal support. This means victims are really not getting anything.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/30/2019 | 9:57:43 PM
Cloud providers
stronger security into their offerings, it's still the business's responsibility to handle risk management, monitoring, That is true, cloud provides should still provide standard security measures.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/30/2019 | 9:56:13 PM
Re: So ..... the discovery was ....
---- nope, somebody totally outside the firm noticed data and was kind enough to make a phone call Yes, there still some of us care about security and pricing and report anything that looked suspicious.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/30/2019 | 9:54:34 PM
Re: So ..... the discovery was ....
A git-hub user. Not in Cap One, not in their staff I agree this is really interesting. Users are still the weakes links.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
7/30/2019 | 9:53:00 PM
Capital One And Equifax
So capital one did not hear Equifax yet? Unbelievable how they cannot understand what is happening out there.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
7/30/2019 | 2:18:42 PM
So ..... the discovery was ....
A git-hub user.  Not in Cap One, not in their staff ---- nope, somebody totally outside the firm noticed data and was kind enough to make a phone call.  Gee, isn't that special as THE CHURCH LADY used to say.  Of course the thief also bragged about it on social media - also stupid.  But plenty of that at Cap One apparently.  NOBODY NOTICED?????
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15129
PUBLISHED: 2019-08-18
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to access all candidates' files in the photo folder on the website by specifying a "user id" parameter and file name, such as in a recruitment_online/upload/user/[user_id]/photo/[file_n...
CVE-2019-15130
PUBLISHED: 2019-08-18
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 allows an unauthenticated attacker to upload any file type to a candidate's profile picture folder via a crafted recruitment_online/personalData/act_personaltab.cfm multiple-part POST request with a predictable WRC01_USERID parame...
CVE-2019-15135
PUBLISHED: 2019-08-18
The handshake protocol in Object Management Group (OMG) DDS Security 1.1 sends cleartext information about all of the capabilities of a participant (including capabilities inapplicable to the current session), which makes it easier for attackers to discover potentially sensitive reachability informa...
CVE-2019-15136
PUBLISHED: 2019-08-18
The Access Control plugin in eProsima Fast RTPS through 1.9.0 does not check partition permissions from remote participant connections, which can lead to policy bypass for a secure Data Distribution Service (DDS) partition.
CVE-2019-15137
PUBLISHED: 2019-08-18
The Access Control plugin in eProsima Fast RTPS through 1.9.0 allows fnmatch pattern matches with topic name strings (instead of the permission expressions themselves), which can lead to unintended connections between participants in a Data Distribution Service (DDS) network.