Capital One Attacker Exploited Misconfigured AWS Databases

After bragging in underground forums, the woman who stole 100 million credit applications from Capital One has been found guilty.

Picture of a streaky cloud sunrise over a body of water
Source: Pongphan Ruengchai via Alamy Stock Photo

The 36-year-old Seattle tech worker behind the infamous 2019 Capital One data breach has been convicted on seven charges related to the data theft — which are punishable by up to 20 years in jail.

In the incident, Paige Thompson, who operated under the hacker handle "erratic," made off with more than 100 million credit applications that were held in a misconfigured Amazon Web Services storage bucket in the cloud. She was arrested shortly thereafter, after the banking giant traced the malicious activity back to her and alerted the FBI.

"Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency," said US Attorney Nick Brown, in a statement. "Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself."

Prosecutors noted that Thompson specifically used a scanner to look for AWS misconfigurations, in which databases are left open to the Internet without authentication required for access. In all, she managed to infiltrate the databases of 30 entities, including Capital One — stealing data and in some cases planting cryptocurrency miners.

According to a Department of Justice statement, Thompson "spent hundreds of hours advancing her scheme, and bragged about her illegal conduct to others via text or online forums."

After a seven-day trial and 10 hours of deliberation, a jury in US District Court in Seattle found Thompson guilty of wire fraud, five counts of unauthorized access to a protected computer, and damaging a protected computer. The jury found her not guilty of access-device fraud and aggravated identity theft.

Thompson is scheduled for sentencing by US District Judge Robert S. Lasnik on Sept. 15.

"She wanted data, she wanted money, and she wanted to brag," Assistant US Attorney Andrew Friedman said in closing arguments.

"We are pleased with the outcome of the trial and remain thankful for the tireless work of the US Attorney's Office in Seattle and the FBI's Seattle Field Office in prosecuting this important case," Capital One said in a media statement.

Cloud Misconfigurations Remain Rampant

While Thompson was bent on malicious activity, the incident also brought cloud-security responsibility and the issue of misconfigurations to the fore. Capital One was found to be negligent for leaving sensitive financial data open to the public, resulting in an $80 million fine. It also settled customer lawsuits for $190 million — not an inexpensive result.

"The Capital One breach really put cloud security at the forefront of many enterprises," says John Bambenek, principal threat hunter at Netenrich. "Prior to that, there was a misconception that the cloud companies would handle security and that default settings were 'secure enough.' The reality is, the shared-security model requires users to make sure that their cloud environments are secure and that data does not accidentally leak."

In its recent report on cloud misconfigurations, security firm Rapid7 noted that breaches stemming from cloud misconfigurations continue to happen with "distressing frequency."

"First and foremost, you should now be keenly aware that there are individuals actively seeking out cloud service misconfigurations on a daily basis," researchers warned in the report. "Given the right tooling, it's almost trivial for any moderately clever person to hunt for these cracks in the cloud at scale, and they don't even need to be targeting your organization specifically to come across that unintended misconfiguration which ends up exposing sensitive data in your care."

As an example, earlier this month researchers from Secureworks Counter Threat Unit (CTU) found that cyberattackers are targeting misconfigured Elasticsearch cloud buckets for extortion purposes. After finding data exposed on the public Internet, the attackers then steal the wide-open data and replace it with a ransom note. At the time, nearly 1,200 instances had been affected.

Thus, enterprises should dedicate resources to cloud security, including planning for safe and resilient configurations and automated processes to monitor for mistakes and oversights, researchers noted.

Bambenek says there's evidence that things are getting better.

"It's taken a few years, however we are making real strides in not only having default-secure settings, but for security tools to start detecting misconfigurations and malicious behavior in cloud environments," he tells Dark Reading.

About the Author(s)

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights