Capital One this week announced that a hacker stole personal information from over 100 million customers across North America. This included names, addresses, phone numbers, email addresses, dates of birth, self-reported income, and even social security numbers. The breach affected customers who submitted credit card applications between 2005 and 2019 – a whopping 14-year window.
After discovering the breach on July 19, the bank immediately phoned its findings into federal law enforcement. Three days later, the FBI arrested Seattle software engineer Paige A. Thompson, aka ‘erratic’, who has since been charged with violating the US Computer Fraud and Abuse Act. Prosecutors claim that posts in a Slack channel from an individual calling themselves ‘erratic’ refer specifically to the hack.
The FBI’s paperwork alleges that Thompson broke into Capital One’s cloud-hosted storage, believed to be Amazon Web Services' S3 buckets, and downloaded its contents. Thompson worked for Amazon Web Services specializing in cloud storage systems between 2015 and 2016, so in this case, it seems it really did take one to know one.
Capital One’s stance since the news broke is especially interesting. US prosecutors said Thompson was able to access the data because of a ‘misconfigured web application firewall’, whereas the bank spun things a little differently, blaming an ‘exploited configuration vulnerability’. Capital One is responsible and, like Equifax which was fined $575 million for its own recent shortcomings, will almost certainly be punished.
The bottom line is that Capital One is trying to spin an error in its security tech configuration as an elite attacker breaking in. But the prosecutor and the FBI don't pull punches. This one is the company’s mistake, and a mistake that must be owned.
Most irksome for Capital One is how easily this sorry incident could've been avoided. The bank no doubt invests hundreds of thousands in its technology, but to what end if its people can’t actually use it? The effectiveness of security tech always comes back to the ability of defenders to understand the nature of the threat. If they don’t have the right skills at the right time, an attacker will make short work of bypassing their security.
To prevent mistakes like this, companies should identify ways to show security teams what insecure systems look like. This will help defenders properly implement the expensive security tech at their disposal. Ultimately, it’s about putting people first, and remembering the importance of upskilling ourselves. ‘Humans are underrated,’ after all, to quote Elon Musk.
The Immersive Labs platform is the best way to provide your security team with real cyber skills when they need them most. We keep our finger on the pulse using world-class threat intelligence, which means when a vulnerability comes to light, we aim to respond with interactive skills content the very same day. When it comes to understanding threats, theory learning is no match for handling real technology.
Our Amazon S3 lab covers potential weaknesses in buckets as well as attacker methodology, and it could help protect your organization from a similar attack.