The Capital One data breach saw the personal information of more than 100 million of the credit card company’s customers in the US and Canada stolen by one internal attacker. Even as details continue to be revealed about the nature of the incident, it has proven to be simultaneously the same as and yet different from every other high-profile breach. The perpetrator of this crime used a relatively simple but often overlooked vulnerability that exists in the way servers communicate, but can become especially exposed on public cloud servers.
This breach highlights many of the issues inherent in cloud security, namely those that appear with third-party network access and remote servers. Yet this story should not be taken as a rebuke against migrating to Software-as-a-Service (SaaS), but as an example of why vigilance is needed to defend a cloud-hosted infrastructure against all threats. In the breakdown below, we will go over what went wrong in Capital One’s case and what lessons can be learned for cybersecurity in the cloud:
Capital One Data Breach – What Happened?
Many news outlets and independent blogs have covered and continue to cover this story in detail, so only a quick summary will be provided here. In late July 2019, the FBI and Capital One revealed that the latter had been the victim of a breach carried out March through April of the same year. Within 10 days of discovering the breach, the FBI tracked down and arrested the perpetrator thanks to their public admission of the crime on social media as well as other evidence the federal agency uncovered that proved it was not a hoax.
The hack exposed the information from approximately 106 million credit card applications, which included details such as US Social Security numbers, Canadian social insurance numbers, bank accounts and credit scores. The data appeared on a GitHub server some time before July 17, which is when another user came across it and notified Capital One, who then informed the FBI.
Paige Thompson – Hacker, Cryptojacker, Amazon Employee
The hacker in question turned out to be Paige A. Thompson of Seattle, a former employee of Amazon Web Services (AWS), Amazon’s cloud infrastructure-hosting division. The Capital One data had been hosted through AWS, which is how Thompson was somehow able to access it and direct it to her own personal servers. Thompson was fairly public about her activities before the breach and at least one employer described her as a law-abiding “white hat” hacker; nothing revealed thus far indicates why she suddenly decided to commit such an egregious attack.
However, comments on social media do reflect that she was aware of the consequences if the data was found on her personal servers, which is why she decided to move it to a directory on GitHub. In spite of this fear, the investigation has uncovered evidence of at least 30 more breaches carried out by Thompson, who also used her victims’ computers for cryptocurrency mining (AKA cryptojacking).
From Cloud Pioneer to Public Cloud Cautionary Tale
Capital One’s migration to a cloud-hosted IT infrastructure was previously a hot topic, and lauded by proponents of cloud computing and Amazon alike as both a proof-of-concept and an example of industry disruption. Now, Amazon is vehemently denying AWS had anything to do with the hack and Capital One is being held up as a warning of what can go wrong with public cloud deployments. Part of the problem with assigning blame is that AWS relies on a “shared responsibility” model for network security, which allocates the cybersecurity burden on both sides of the cloud service provider relationship according to endpoint proximity.
Third Party Cloud Servers and Misconfigured Firewalls
This is not the first time that a business has had data compromised through a third-party server – it is not even the first time a large enterprise has experienced it, as Uber went through multiples hacks like this. The race to the cloud has exposed a vulnerability that was previously only solved by physical security controls, in that Internet connection disseminates access privileges at a rate and range that will fast outpace your business’s ability to monitor that access.
Cloud Security Requires a Proactive Defense
The server bug which Thompson exploited was known of for some time, and it was not exclusive to cloud servers. Yet because it required a certain level of access and effort to leverage it was left to exist in a vacuum for someone else to devote resources to solving it, but cloud connectivity prevents anything from existing in a vacuum forever. With the cloud connecting everyone, only vigilance and consistent monitoring will protect your network, just as it would any effectively public space.
Protect Your Migration to the Cloud with Secure Cloud Hosting
SWK Technologies has launched the only cloud application hosting service in its market to be protected by a Smart SOC (security operations center). The Smart SOC is staffed by cybersecurity veterans with firsthand knowledge of hacking methodologies and who actively monitor your network for attacker footprints, acting on any signs of intrusion to prevent data breaches like Capital One’s.