Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

7/30/2019
02:05 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Capital One Breach Affects 100M US Citizens, 6M Canadians

The breach exposed credit card application data, Social Security numbers, and linked bank accounts, among other information.

Another massive data breach has struck the US financial sector: This time it's Capital One, which has officially confirmed a breach affecting about 100 million Americans and 6 million Canadians.

On July 29, 2019, the bank and credit card issuer reported an unauthorized intruder had gained access to several types of personal information belonging to Capital One credit card customers and people who had applied for credit cards between 2005 and early 2019. The FBI has arrested and charged one suspect, who is now in custody.

Most of the compromised information belonged to small businesses and consumers who had applied for credit cards. This included applicants' names, addresses, ZIP codes and postal codes, phone numbers, email addresses, birth dates, and self-reported income. Beyond application data, the intruder obtained portions of credit card customer information, including "status data" such as credit scores and limits, balances, payment history, and contact info. The breach also exposed pieces of transaction data from 23 days during 2016, 2017, and 2018, Capital One said in a statement.

About 140,000 Social Security numbers (SSNs) belonging to Capital One credit card customers were accessed, as well as 80,000 linked bank accounts of secured credit card customers. The attacker was able to obtain approximately 1 million Social Insurance numbers from Canadian users. Credit card numbers and login credentials were not exposed in the breach, officials report.

The unauthorized access took place on March 22-23, 2019, when Capital One says "a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure." An external security researcher reported the bug to Capital One via its Responsible Disclosure Program on July 17, 2019. The bank launched an internal investigation, which led to the discovery of this breach on July 19 and the public announcement on July 29.

Capital One stores its data in the cloud; reports indicate the attacker was able to exploit a weakness in a misconfigured web application firewall to gain access to the files stored in an Amazon Web Services (AWS) database. The bank "immediately addressed" the bug and verified there are no other instances in its environment. It altered its automated scanning to regularly look for this issue.

"This incident underscores that every component added to an organization's IT environment — even security components — can add to the attack surface and become an entry point for attackers," says Bob Rudis, chief data scientist at Rapid7. While banks have improved their ability to scan for bugs, implement access controls, and improve their overall security posture, it only takes one mistake to leave them exposed to a breach like this one.

The bank encrypts its data as a standard; however, due to the circumstances of this breach, the unauthorized access also enabled data decryption. It's also Capital One's practice to tokenize certain data fields, particularly SSNs and account numbers. Tokenized data remained protected.

About the Suspect
The FBI has arrested Paige Thompson, former software engineer with AWS, and charged her with violation of the Computer Fraud and Abuse Act. Thompson, known online under the pseudonym "erratic," will appear at a hearing on August 1.

The criminal complaint states that after Thompson stole the data from Capital One servers, she posted about it on GitHub. A GitHub user who saw her posts alerted Capital One, which contacted the FBI after confirming a breach. On July 29, agents appeared at Thompson's home with a search warrant and seized electronic storage devices containing a copy of the data.

In examining the GitHub file, Capital One determined the firewall misconfiguration allowed commands to reach and be executed by the server, which enabled an attacker to access folders or buckets of data in the bank's storage space, the criminal complaint says . Computer logs showed connections between the bank's AWS folders and the intruder, using the firewall bug.

Capital One believes it's unlikely Thompson used the data for fraud or disseminated it.

What You Should Do
Capital One will notify affected customers "through a variety of channels," the company says. It plans to make free credit monitoring and identity protection available to those affected. That said, security experts strongly urge account holders to be cautious and monitor their accounts.

"While it looks like all the appropriate measures have been taken to mitigate the risk of fraud, Capital One customers should continue to be extremely vigilant," says Leigh-Anne Galloway, Positive Technologies' cybersecurity resilience lead. "Keep an eye on your bank accounts and any other connected accounts such as email addresses and immediately flag any suspicious activity to authorities or Capital One."

Even if all the compromised data has been secured and accounted for, she adds, cybercriminals may still try to capitalize on this breach by sending phishing emails posing as bank officials or authorities. Victims should treat any incoming communication with suspicion.

As for businesses storing information in the cloud, security experts advise taking a closer look at security controls and processes related to protecting data in the cloud: "Organizations should regularly take an inventory of both what they've attached to their perimeter network(s) and — especially — regularly review the configurations of these components to ensure they are providing the minimum access necessary to facilitate key business processes," says Rudis, who also advises scheduling regular penetration tests to ensure systems aren't exposed.

Cloud security "can sometimes be less forgiving" given the power and magnitude of its storage and processing powers, adds BlackCloak CEO Dr. Chris Pierson. Data stores of the past were smaller and more distributed; today's cloud instances present new challenges. "Given the changed dynamics of cloud environments, security and infrastructure teams must be able to continually monitor, scan, and protect the data they have and hold," he says.

While many major cloud providers are building stronger security into their offerings, it's still the business's responsibility to handle risk management, monitoring, backups, and maintenance. Given that Capital One's cloud software was not properly configured, it should be a warning to businesses to ensure security teams are trained and alerted to the danger of small issues like these having big consequences. 

Capital One estimates this data breach will cost about $100 million to $150 million in 2019, with costs primarily driven by customer notifications, credit monitoring, technology, and legal support. That said, it could end up costing far more: Equifax, the credit reporting giant that suffered a data breach affecting 147 million people in 2017, will pay up to $700 million in damages.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Quaker69
50%
50%
Quaker69,
User Rank: Apprentice
8/6/2019 | 12:57:25 PM
Re: Cost Aptly put, but I would say instead
"Who's in your wallet?"
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/1/2019 | 7:58:53 AM
Re: Sophisticated?
Man I agree with you, they saw a firewall rule on the ACL list that pointed to a TOR site. I mean how obvious can it be. In addition, she was an ex programmer who was directly involved with the project. All you have to do is whittle it down, who worked on the project, who left, who was disgruntled and who had full access to the private/secret keys? There you go - Paige Thompson.

The Geek wire stated this:
100 million people in the U.S. and 6 million people in Canada were affected in total.

 I do understand Canada was affected, but we are talking apples to oranges here when we look at the sheer number, this is astounding.

This is what CapitalOne said:
Capital One said it is "unlikely that the information was used for fraud or disseminated by this individual." No credit card account numbers or log-in credentials were compromised.

To your point, this is "Hog Wash", lol. The marketing team is working their hardest to try and clean this up, but seriously, whoever has this data and this data was on a TOR site, they are looking for "black market" purchasers to buy this data, it may not be now, but it is a matter of time, she is just the fall person.

By the way, this is what she said (Dummy):




Soper did a great job in reporting - CapitalOne Reporting

But to your point, people talk too much, she was over her head.

T
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/31/2019 | 9:20:54 AM
Re: Cost
In a nutshell:  What's in your wallet?  (Nothing after I get through with it) 
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
7/30/2019 | 2:18:42 PM
So ..... the discovery was ....
A git-hub user.  Not in Cap One, not in their staff ---- nope, somebody totally outside the firm noticed data and was kind enough to make a phone call.  Gee, isn't that special as THE CHURCH LADY used to say.  Of course the thief also bragged about it on social media - also stupid.  But plenty of that at Cap One apparently.  NOBODY NOTICED?????
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1448
PUBLISHED: 2020-07-14
A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka 'Microsoft Word Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1446, CVE-2020-1447.
CVE-2020-1449
PUBLISHED: 2020-07-14
A remote code execution vulnerability exists in Microsoft Project software when the software fails to check the source markup of a file, aka 'Microsoft Project Remote Code Execution Vulnerability'.
CVE-2020-1450
PUBLISHED: 2020-07-14
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1451, CVE-2020-1456.
CVE-2020-1451
PUBLISHED: 2020-07-14
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-1450, CVE-2020-1456.
CVE-2020-1454
PUBLISHED: 2020-07-14
This vulnerability is caused when SharePoint Server does not properly sanitize a specially crafted request to an affected SharePoint server.An authenticated attacker could exploit this vulnerability by sending a specially crafted request to an affected SharePoint server, aka 'Microsoft SharePoint Re...