Capital One, one of the largest banks in the United States by assets, has announced that it has suffered a massive data breach affecting the personal and financial information of some 106 million individuals in the U.S. and Canada.

Simultaneously, the U.S. Attorney’s Office for the Western District of Washington announced that the attacker that allegedly perpetrated the breach has been arrested by the FBI and already charged.

What information was compromised?

According to Capital One, the accessed information is related to people who had applied for its credit card products and to Capital One credit card customers.

“Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada. The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income,” the company said.

“Beyond the credit card application data, the individual also obtained portions of credit card customer data, including: customer status data, e.g., credit scores, credit limits, balances, payment history, contact information, and fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.”

The company noted that credit card account numbers or log-in credentials were not compromised, but that around 140,000 Social Security numbers of their credit card customers, around 80,000 linked bank account numbers of their secured credit card customers, and approximately 1 million Social Insurance Numbers of their Canadian credit card customers were.

Capital One said that some of the data was encrypted, but that the access the attacker had allowed for its decryption. They also said that some data – though obviously not all – was successfully protected through tokenization, .

How and when did it happen?

Capital One was first notified about a possible intrusion by an external security researcher on July 17, 2019. They immediately began an investigation and, two days later, they confirmed the breach and discovered that the intrusion happened on March 22 and 23, 2019.

The FBI was called in and the alleged hacker arrested on July 29.

According to the complaint filed with a Seattle court, the individual in question is one Paige Adele Thompson (aka erratic), a former AWS technology company software engineer.

She managed to get access by exploiting a firewall misconfiguration, which allowed her to obtain security credentials, list the names of folders or buckets of data in Capital One’s AWS storage space, and to extract or copy data from them.

Although she used a VPN and TOR to hide her tracks, Thomson bragged on social media and a Slack channel about the data theft. She also posted a file that lead investigators to her GitHub account, which contained her full name.

When FBI agents arrested her and searched her home, they seized electronic storage devices containing a copy of the stolen data, as well as data of “other entities that may have been the targets of attempted or actual network intrusion.”

Comments from the security community

As Corey Quinn, Cloud Economist at The Duckbill Group, noted, Capital One has to be commended for not ignoring the researcher who flagged the possible intrusion, not burying the news about the breach, the quick investigation and disclosure, and for not having misconfigured their S3 buckets.

On the other hand, they didn’t restrict access to the S3 buckets containing highly sensitive information to known IP ranges and had no heuristics in place to flag the data exfiltration. Also, he pointed out, “if a single firewall misconfiguration can cause an issue like this, there are other systemic issues at play.”

Alex Heid, Chief Research Officer, SecurityScorecard, also said that the rapid response from CapitalOne is commendable.

“Compared to Equifax, this breach does not appear to have had anywhere near the same amount of impact. While there were hundreds of millions of records leaked, only a small percentage of those records contained social security information or banking information and there is no indication at this time that the data was distributed beyond the identified individuals,” he added.

“From the standpoint of any business handling large amounts of data, the use of third party hosting services within cloud computing environments is an unavoidable reality of the modern era. In addition to making use of a continuous monitoring service for all external assets is an important part of understanding the scope the available attack surface, implementing an bug bounty reporting program will go a long way in making sure there’s always an ‘extra set of eyes’ on assets of value.”

Finally, this case highlights both the right way and the wrong way to go about reporting discovered vulnerabilities to large organizations, he noted. “The right way is to reach out to the official bug reporting point of contact with a polite email explaining your findings, the wrong way would be to publicly taunt the company while dumping the data to accounts under your real name.”

Matt Aldridge, Senior Solutions Architect at Webroot, said that while it’s reassuring to see that AWS isn’t explicitly at fault for this breach, it’s concerning that even established financial institutions with typically strong security practices, are failing to lock things down correctly.

“What hope is there then for SMBs with limited budgets and expertise? This breach should serve as an unfortunate reminder that like all infrastructure components, cloud storage solutions should be properly evaluated, protected and maintained,” he concluded.