Capital One data theft raises questions about securing Amazon Web Services accounts

A data breach of about 106 million Capital One accounts appears to have been carried out by a former Amazon Web Services employee who was able to access Capital One’s data stored on AWS.

Capital One (COF) admitted Monday that the hacker exploited a “specific configuration vulnerability in our infrastructure,” adding that they moved to immediately address that issue. Details on the breach are limited to the criminal complaint against the hacker, but cybersecurity experts say Capital One — and maybe even AWS — could have done more to protect consumer data.

Late on Monday, Capital One reported that an “outside individual” obtained personal information for about 100 million credit card customers and applicants in the U.S. with another 6 million in Canada. Capital One said the information covered personal information spanning the period between 2005 and early 2019. About 140,000 Social Security numbers were breached in addition to about 80,000 linked bank account numbers.

The U.S. Attorney’s Office for the Western District of Washington disclosed the same day that it had arrested Paige Thompson in Seattle for allegedly stealing data from Capital One, claiming that Thompson had managed to steal the data from the bank’s storage space at “a company that provides cloud computing services.”

Although the criminal complaint does not name the company, it references Thompson’s page on code-sharing site GitLab. That site includes a resume detailing her experience between May 2015 and September 2016 as a level four systems engineer at Amazon (AMZN)’s S3, one of the services offered by AWS.

Capital One has boasted of its use of AWS offerings, and announced in 2015 that all of its new company applications would run on the cloud.

Ensuring security

TrustedSec’s Alex Hamerstone told Yahoo Finance that based on initial details it is possible Capital One could have erred in the way it set up its AWS storage.

“How you log into it and how you manage the access to it is often times on you,” Hamerstone said. “So how you configure it and how you set it up is on you, not on Amazon.”

In recent years, some companies have had data exposed due to poor set-up by the business customer. In 2017, World Wrestling Entertainment said that it had exposed personal data for about 3 million people and Verizon (now Yahoo Finance’s parent company) exposed data for between 6 million and 14 million customers.

At the time, Wired reported that both the WWE and Verizon data exposures appeared to be the case of setting up a cloud account that inadvertently left data out in the open.

Leo Taddeo, a former special agent in the FBI’s New York Cyber Division, told Yahoo Finance that in Capital One’s case, misconfiguration can “mean a number of things.” But Taddeo said it is unlikely to be the result of a weakness in AWS’s systems.

“It’s unlikely to be a technical vulnerability that she took advantage of,” said Taddeo, now Cyxtera chief information security officer. “AWS is highly secure.”

Three-stage attack

Thompson’s hack first took place in March 2019 and was carried out in three stages.

In the first step, Thompson crafted a command that obtained security credentials for a web application firewall (WAF) role that could be used to open some Capital One folders stored on AWS. Next, Thompson used a command that lists the directory of folders and data within Capital One’s AWS storage space. The last step: executing a command that extracts and copies the data.

The criminal complaint alleges that Thompson first copied files on March 22, and then again on April 21.

Treadstone Chief Intelligence Officer Jeff Bardin told Yahoo Finance that by using an insider log-in, Thompson was able to access Capital One files without triggering security protocol.

“Most of what they do is intrusion detection, intrusion prevention to look at attacks from the outside and they’re not looking at the possible insider threat,” Bardin said.

Capital One may have left their data open for the taking by overlooking the vast amount of access that it granted to insider accounts.

‘If only you knew’

On July 18, Thompson sent a tweet that shares one possible way that she could complete the first step of her hack. From an account named “erratic,” Thompson appeared to acknowledge code posted by another user highlighting a possible way to tap AWS credentials. Thompson quote tweeted, “Oh if you only knew friend, if you only knew” in a possible allusion to the Capital One hack that she had carried out months earlier.

The code uses a string that scans a targeted directory for metadata that includes the “access key” and a “secret key” (think username and password) to an AWS account. If so, the following code opens up a “magic IP address” that, if done correctly, would reveal the keys to the targeted AWS account.

It is unclear if this is the exact strategy that Thompson used in the hack.

Although Capital One acknowledged that the vulnerability was “in our infrastructure,” one security consultant says AWS could have had stronger protocols on their end, as well.

Independent AWS security consultant Scott Piper told Yahoo Finance that the “magic IP address” strategy in Thompson’s tweet appears to line up with details in the criminal complaint.

Piper says Amazon should be aware of the issue, which has been known to coders as early as 2014.

“For those of us that do security, it is a fairly frustrating situation as there is a fairly easy thing that AWS could do to dramatically improve this situation, defeating a lot of attacks,” Piper said. “The issue has been raised to AWS many, many times.”

Although Thompson likely benefited from having extensive knowledge of the AWS platform, the magic IP appears to be accessible by even non-Amazon employees. Piper has posted exercises online illustrating the code that one would see if they were able to steal an AWS account’s access key and secret key.

An example of the "magic IP" address revealing the access and secret keys to a given AWS account. Provided by Scott Piper.
An example of the "magic IP" address revealing the access and secret keys to a given AWS account. Provided by Scott Piper.

An AWS spokesperson Yahoo Finance confirmed to Yahoo Finance that the attack required no insider knowledge or access, but said that AWS had not been compromised and functioned as intended.

Piper said ultimately Capital One only could have done so much.

“The mistakes Capital One made are more like the security guard locked all the doors, but they could have installed an additional door inside a hallway to further deter someone that managed to break through one of the outer doors,” Piper said.

Capital One did not respond to requests for comment. The company said in a statement Monday that it would offer free credit monitoring and identity protection to those affected.

Note: This story originally stated that the former AWS employee used her knowledge of AWS code to carry out the data theft. The story was amended on July 31 to reflect that it is not clear she used her knowledge of AWS code.

Brian Cheung is a reporter covering the banking industry and the intersection of finance and policy for Yahoo Finance. You can follow him on Twitter @bcheungz.

Read the latest financial and business news from Yahoo Finance