You are here

Security Blogwatch wallet image

Capital One ‘deeply sorry’ to leak 106M personal records

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

Capital One is the latest financial firm to lose more than 100 million people’s data. It joins the lofty legions of disgraced companies such as Equifax in being hacked for big slabs of PII.

The alleged hacker is known as "Erratic," a.k.a. netcrave, a.k.a. @0xa3a97b6c, a.k.a. paigeadelethompson2019. Oh wait. That last one was a bit of a dead giveaway.

This seems to be what the FBI thought, too. In this week’s Security Blogwatch, we count our capital.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Prising open a closed system with a Z80.

[ Understand what's driving the next-generation SOC with TechBeacon's guide. Plus: Download ESG's report on the state of cloud-based security analytics and operations ]

More leaky S3 buckets

What’s the craic? Devlin Barrett reports—Capital One says data breach affected 100 million:

The hack appears to be one of the largest data breaches ever to hit a financial services firm. … The hack is expected to cost the company between $100 million and $150 million in the near term.

Capital One, which is headquartered in … McLean, Va., was alerted to a problem on July 17 after a person in an online discussion group had claimed to have taken large amounts of the company’s data. … The bank investigated and … confirmed there was a vulnerability.

The FBI has arrested a Seattle-area woman, Paige A. Thompson, on a charge of computer fraud and abuse. … It is unusual in a major hacking case for a suspect to be apprehended so quickly.

Thompson, who authorities say used the name “erratic” in online conversations … was ordered to remain in jail pending a detention hearing scheduled for Thursday. … In one online posting, “erratic” wrote: “I’ve basically strapped myself with a bomb vest, [expletive] dropping capitol ones dox and admitting it.”

Thompson previously worked at an unidentified cloud-computing company that provided data services to Capital One. … Based on other postings allegedly made by Thompson last month, the FBI came to suspect she “intended to disseminate data stolen from victim entities,” … court documents say.

Who is this alleged perp? Shaun Nichols tells us more—Hacker swipes personal info on 106 million US, Canadian credit card applicants:

A hacker raided Capital One's cloud storage buckets. … Seattle software engineer Paige A. Thompson, aka "erratic," aka 0xA3A97B6C on Twitter, was suspected … and was collared by the FBI at her home on Monday.

According to the Feds … Thompson broke into Capital One's cloud-hosted storage, believed to be Amazon Web Services' S3 buckets, and downloaded their contents. [They] said a "firewall misconfiguration permitted commands to reach and be executed" by Capital One's cloud-based storage servers. … Thompson [worked] at Amazon Web Services, specifically on [S3], between 2015 and 2016.

It is alleged Thompson bragged about her hack to pals on Slack, and spilled the beans on a public GitHub Gist post – a move that led the Feds literally to her front door. … A GitHub user spotted erratic's Gist post containing information about Capital One's systems, and privately emailed the financial giant to warn it.

Perhaps not the best plan. Brian Krebs cycles through Thompson’s history:

FBI agents arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of Capital One credit application data. … The FBI says Capital One learned about the theft from a tip [that] alerted the company that some of its leaked data was [on the] Github account [of] a user named “Netcrave,” which includes the resume and name of one Paige A. Thompson.

Further investigation revealed that Thompson used the nickname “erratic” on Twitter, where she spoke openly over several months about finding huge stores of data intended to be secured on various Amazon instances. … She invited others to join a Slack channel [with] many months of postings apparently made by Erratic [which] suggests Erratic may also have located tens of gigabytes of data belonging to other major corporations.

Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts. … None of Erratic’s postings suggest Thompson sought to profit from selling the data taken from various Amazon cloud instances.

What does the bank have to say for itself? CEO Richard D. Fairbank hopes you believe in nominative determinism: [You’re fired—Ed.]

While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.

Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.

The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included …
  • names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. …
  • Portions of credit card customer data, including … credit scores, credit limits, balances, payment history, contact information [and] fragments of transaction data from a total of 23 days during 2016, 2017 and 2018. …
  • About 140,000 Social Security numbers of our credit card customers,
  • about 80,000 linked bank account numbers of our secured credit card customers. …
  • For our Canadian credit card customers, approximately 1 million Social Insurance Numbers. …
Safeguarding applicant and customer information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses.

Ahem. “Learnings” is not a word. Kevin Beaumont asks what the lessons are:

  • Why did the WAF account apparently have access to the S3 storage buckets?
  • Why wasn't the data of hundreds of millions of people's credit checks encrypted? Should that kind of data have been left for so long in cloud buckets?
  • Why didn't they notice all these S3 buckets being sync'd to a random VPN IP address? It happened 4 months ago.
  • Why didn't they notice the Gitlab pages listing their config?
  • Why didn't they notice until somebody random emailed them? …
I guess lessons learned … is Monitoring. Ingest your cloud logs. Alert against them. Monitor sites like Github and Gitlab for obviously sensitive information, e.g. usernames, bucket names etc.

Our old friend Lucas Mearian runs the numbers:

Capital One's net revenue was $28 Billion last year and their profit was $5.7 Billion; 75% of their revenue came from credit cards.

Yet, somehow they were unable to correctly configure a web application firewall, allowing a former software developer to hack into their database and gain access to [100m people’s] personal information.

So what is the federal government going to do about this? What penalty will Capital One incur that will amount to more than its conference room lunch budget.

Anyone want to bet nothing of substance will happen?

And Matthew Hardeman—@mdhardeman—also ponders future fines:

The damages question on this one will be interesting. Depending on how far the data has spread, etc. Capital One would have a fair argument that the damages owing to the breach are diminished in value as it's mostly the same confidential data already leaked by Equifax.

I don't advocate that. … I'm just saying that in terms of actual damages, it's probably objectively lower than in the case of the Equifax breach. Repeating a secret that's already out there isn't as damaging as the initial reveal.

Just about the only thing mutable in the PII set in discussion is the current address. And for the majority, that doesn't change so often that a two year lag is really significant.

Additionally, the data set stolen from Capital One has been described primarily as data from credit card applications to Capital One. Which would be point-in-time data as of the application date. So, much (but not all) of this is probably years old.

But Any other name asks, “You keep it for how long?!”:

The real outrage here is not that the data was taken. It is that Capital One still keeps the data from 14-year old credit card applications, presumably including those where the application was refused or where the customer has cancelled the card long ago, and no longer has any business relationship with Capital One.

This is exactly why we need tools like GDPR, and we need them aggressively enforced.

Controversially, this Anonymous Coward blames DevOps and Agile, in a spittle-flecked rantette:

Was Capital One transitioning to DevOps and Agile and in the process had a leaky wall of data protection standards they removed and rolled back because it was impeding their Faster to Market paradigm shift? Not like that is happening all over the ****ing place leaving customers vulnerable.

Meanwhile, Phil Kingston offers this advice to would-be hackers:

Even the FBI managed to track down someone who used her full real name. … You can't get much past them these days.

The moral of the story?

What’s in your WAF ruleset? And do you monitor your logs and known hacker haunts?

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]

And finally

Before Raspberry Pi and Arduino


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Judy “mainbanana” Valentine (cc:by-sa)

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]