Capital One Data Breach Update: Former Amazon Engineer Convicted

4 mins to read

Since we first wrote about the Capital One data breach, there have been significant developments. This week a Seattle jury has found Paige Thompson, a former Amazon software engineer accused of stealing data from the financial organization, guilty of wire fraud, and five counts of unauthorized access to a protected computer. We first reported on the Capital One data breach in 2019 and we did a follow-up story revisiting the breach in 2021 to help organizations understand the cause of the data breach and how it can be avoided in the future. So what exactly happened in this data breach?

In March of 2019, Capital One suffered a significant insider hacking incident in which a malicious action exploited a misconfigured open-source web application that Capital One was using as part of its operations hosted in AWS to get unlimited access to very sensitive data. The incident resulted in the access of approximately 100 million credit card applications. A few months later, Capital One was alerted to the situation after the insider, Paige Thompson, bragged about taking the company’s data in online discussion groups.

The New York Times reported Thompson was a former employee of AWS who also happened to run a small group of hackers and programmers on Meetup, a site geared toward organizing real-life gatherings. According to the Department of Justice, Thompson used a tool she built herself to scan AWS for misconfigured accounts. Thompson then allegedly used those accounts to infiltrate Capital One’s servers and download over 100 million customers’ records.

At the time, Capital One investigated the incident and corrected the vulnerability promptly. However, despite receiving credit for its customer notification and remediation efforts, the Office of the Comptroller of the Currency (OCC) issued a Consent Order against Capital One Bank including a civil money penalty of $80,000,000 on August 5, 2020.

A former Amazon employee living in Seattle was convicted Friday of crimes related to a hack of Capital One. (Emon Hassan / The New York Times, file)

Now, this week, a jury has decided that Thompson violated the Computer Fraud and Abuse Act by creating a tool that can look for AWS misconfigured accounts, but her lawyers argued that she used the same tools and method used by ethical hackers. However, as many in the industry know, her actions appear to be far from ethical as it was not included in the company’s security strategy and the misconfigurations were exploited to steal valuable data to enhance and enrich her personal life.

In Capital One’s circumstances, the OCC linked the data breach to problems with Capital One’s cloud migration plan. Back in 2015, Capital One failed to establish effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment. It failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts. It is an apt reminder that processes and procedures should not only focus on the reactive but also be proactive in mitigating risk before an incident occurs.

Since the CapitalOne data breach, we have reported on additional data breaches from Reserve Bank of New Zeala, Morgan Stanley Bitmart, Neiman Marcus Group, and more. Data breaches remain a challenge despite an increase in cloud security awareness and investments. This past year has been particularly dire for cloud data breaches taking aim at the finance industry, with incidents taking down networks for weeks at a time, disrupting business throughout the country, and in some cases, closing down organizations. How can organizations stop data breaches from happening?

All financial institutions have a responsibility to safeguard employee, customer, and applicant data. Your organization needs to know at all times where its data is located, who can access the data, and when it is accessed. Your organization should focus attention on managing a baseline configuration state and desired state configuration across your environments. You need to monitor, maintain and continuously be aware of your environment’s state of health and compliance with your governance frameworks at all times. However, this can be easier said than done, so it is important to have the right tooling to help you find your security baseline and graph your identity and data relationships.

Audits are expected to review every aspect of the information security program, the environment in which the program runs, and the outputs of the program. These audits should report on control deficiencies to decision-makers, identify root causes and recommend corrective action for deficiencies. Audits should track the results and the remediation of control deficiencies reported therein along with any additional technical reviews. Capital One’s internal audit failed to identify numerous control weaknesses and gaps in the cloud operating environment. Internal audit also did not effectively report on and highlight identified weaknesses and gaps to the institution’s audit committee. Often plans and processes are legal obligations, but the effectiveness of these plans hinges on diligent execution. It is important to view these processes from a ‘living’ perspective and remain vigilant in performing each step in a timely fashion.

Organizations with stronger security culture are expected to generally integrate information security into new initiatives from the outset and throughout the lifecycle of services and applications. Because the board, or a designated board committee, should be responsible for overseeing the development, implementation, and maintenance of the institution’s information security program and holding senior management accountable for its actions, many organizations have created a Cloud Center of Excellence (CCoE). The CCoE should reasonably understand the business case for information security and the business implications of information security risks; provide management with direction; approve information security plans, policies, and programs; review assessments of the information security program’s effectiveness; and, when appropriate, discuss management’s recommendations for corrective action. An effective security-driven culture should be prioritized from the top down to demonstrate the importance of the issue. Many organizations have begun to embrace “shifting left” to integrate security into the cloud earlier in the process thus making a stronger security culture within the organization. 

Regardless of how developed an organization’s program is or how big the budget may be, it is always appropriate to take a step back and review the basics of cloud security and ensure your teams have the right tools to manage identities and data.