Remember the Capital One breach?
We did, even though we were sure it had happened a long time ago.
In fact, when we checked, it had: The story first broke almost three years ago, in July 2019.
At that time, the company reported:
Capital One Financial Corporation announced […] that on July 19, 2019, it determined that there was unauthorized access by an outside individual who obtained certain types of personal information related to individuals who had applied for its credit card products and to Capital One credit card customers.
And we notice that:
So far, there are no details to suggest what kind of vulnerability was exploited, and therefore no indication of what has now been changed and how permanent or effective the fixes might be.
Was the breach due to an unpatched security bug, poor password choice, incorrect access control, cloud-related misconfiguration, or what?
All we knew at the time was that this was a huge breach by any standards, affecting at least:
- 100,000,000 users in the US
- 6,000,000 users in Canada
- Any consumer or small business that applied for a credit card in the previous 14 years.
- Personal data, including names, addresses, postal codes, telephone numbers, email addresses, dates of birth, and income.
Some customers also lost even more intimate personal information, such as credit scores, credit limits, balances, payment history, contact information, social security numbers (SSNs), and bank account numbers.
Fortunately, if that’s the right word in a case like this, “only” about 150,000 victims had their SSNs exposed (in the US, SSNs are lifetime unique national identification numbers), meaning that approximately 99.9% of the victims escaped that fate.
The cost of noncompliance
This breach cost Capital One dearly in more ways than one.
Despite the fact that the company itself was the victim of a cybercrime, it ultimately received a payment of $190,000,000 class action settlement more a fine of $80,000,000 of the United States Office of the Comptroller of the Currency (OCC).
The OCC noted:
[We] took these actions because the bank did not establish effective risk assessment processes before migrating significant information technology operations to the public cloud environment and did not correct deficiencies in a timely manner. In taking this action, the OCC viewed positively the bank’s customer notification and remediation efforts.
As you’ll note from the OCC’s comments above, the breach was ultimately due to poor cloud security, with data apparently exposed due to being moved from a privately controlled data store to the cloud.
Of course, there’s no reason why a public cloud deployment can’t be done safely, but the potential consequences if it can’t are huge.
A publicly visible cloud server is open to a much wider range of probes, attacks, and hacking, which is known in the jargon as “having a much larger and more exposed attack surface.”
Interestingly, the fact that this was a cloud-related breach was quickly revealed after Capital One notified its clients of the attack, because the suspected perpetrator was soon arrested.
Cloud “anti-security” scanning
Paige Thompson, who was 33 at the time, was accused of the attack, apparently using what might be called “anti-security” tools of her own making to scan cloud providers for vulnerable and misconfigured services, and from there retrieve access credentials. gain access, extract data and infiltrate malware.
At the time, the US Department of Justice (DOJ) suggested that Thompson had not intended to sell the stolen data, but rather had used compromised services for what is known as cryptojacking.
That’s where criminals deliberately install crypto mining software on other people’s devices, from laptops and mobile phones, to powerful gaming equipment, to physical and virtual servers.
Victims end up paying for electricity, cooling, and server time, while the criminals accumulate the cryptocurrency they earn in the process.
Still, the DOJ has just announced that Thompson has now been convicted, though she will only be sentenced in September 2022:
Thompson was found guilty of [w]arson fraud, five counts of unauthorized access to a protected computer, and damage to a protected computer. The jury found her not guilty of access device fraud and aggravated identity theft.
Using Thompson’s own words in texts and online chats, prosecutors showed how Thompson used a tool she built to scan Amazon Web Services accounts for misconfigured accounts. He then used those misconfigured accounts to hack into and download the data of over 30 entities, including Capital One bank. With some of his illegal access, he planted cryptocurrency mining software on new servers, with the mining proceeds going to his online wallet. Thompson spent hundreds of hours advancing her plan and bragged about her illegal conduct to others through text messages or online forums.
In the words of the Justice Department, “Far from being an ethical hacker trying to help companies with their computer security, she took advantage of bugs to steal valuable data and sought to enrich herself.”
- If you want to get started in cybersecurity, read the rules and follow them. Many companies publicly endorse investigative-style “hacking” against their systems and offer to pay so-called “bug bounties” to ethical researchers who responsibly report any holes they find so they can be patched before cybercriminals can exploit them. . But bug bounty programs almost always have explicit rules and clear limits to what is considered On reach. If you don’t follow the rules (for example, if you try to use your findings as a form of “bug blackmail,” or if you deliberately disrupt services or steal data when it wasn’t necessary to prove your point), then you are unlikely to They are treated very sympathetically.
- Routinely and regularly scan your own online assets for security weaknesses. As this case shows, if you don’t scan cloud resources for misconfigurations and exposed data, criminals will do it for you.
- Practice what you will say and how you will react if you are raped. Although Capital One ended up with an $80 million fine in this case, regulators noted that they “regarded the bank’s customer notification and remediation efforts positively,” meaning things would have been much worse if Capital One had tried to sweep things under the rug. A quick reaction can also give law enforcement a chance to collect evidence before it can be destroyed.
Planning in case you fail doesn’t mean you’re planning to fail, and you’ll probably find that your preparations make it less likely to fail anyway.