Capital One Is the One to Blame for Exposing Your Data

The major US bank Capital One disclosed a major data breach on Monday evening, revealing that an individual accessed the personal data of 100 million people in the United States and around 6 million in Canada.

The FBI has already arrested and indicted Paige Thompson, who worked as a software engineer in Seattle, for allegedly hacking Capital One and posting the data to her GitHub account.

“I am deeply sorry for what has happened,” Richard Fairbank, the CEO of Capital One, said in a Capital One press release. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

We still don’t know exactly how Thompson hacked Capital One, but the data breach exposed sensitive data for tens of millions of people, and—unfortunately—there’s not much you can do as a potential victim.

According to the complaint, Capital One found the IP address of a specific server in a file on Thompson’s GitHub after a tipster flagged the account to the financial giant.

“A firewall misconfiguration permitted commands to reach and be executed by that server, which enabled access to folders or buckets of data in Capital One’s storage space at the Cloud Computing Company,” the complaint reads, without explicitly naming the company. The charging documents, however, mention that the stolen data was stored in “S3,” short for a popular piece of Amazon Web Services software. It adds that the file contained code for three commands, indicating the simple process Thompson may have taken to allegedly download the data.

Have a tip about a data breach or a security incident? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

The first obtained security credentials from an account called “****-WAF-Role,” with WAF standing for web application firewall (we don’t know how exactly Thompson obtained those credentials to log into the system). The second listed the number of buckets or folders of data; 700 according to the complaint. The third command copied the data from the Capital One repository.

Clearly, there was some sort of issue with how Capital One was protecting this AWS bucket—it appears someone was able to access the data it contained pretty easily. But the exact scope of that misconfiguration is unclear.

“It’s difficult to know the details from the information publicly available, but it sounds like they made a basic configuration error with their cloud services,” Kevin Beaumont, a security researcher, said.

In its press release announcing the incident, Capital One wrote, “We encrypt our data as a standard. Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data.”

But experts took issue with that framing.

“Some of it doesn’t make sense. They are saying the bucket was encrypted but access also enabled decryption?” John Bambenek, VP security research and intelligence at cybersecurity firm ThreatSTOP told Motherboard in a Twitter message. “That encryption is academic at best because if just a username and password is required, then for any threat model in effect there is no encryption.”

“‘Deeply sorry’ from a CEO post-breach—and make no mistake, this *was* a data breach, not just an ‘incident’—is the equivalent of politicians’ ‘thoughts and prayers.’”

Bambenek said there appeared to be three main mistakes in this instance.

“One, no effective encryption. API keys should not give access to cleartext data. Two, firewall rules that didn’t lock down [which] IPs can access the buckets. Three, whatever happened that enabled her to get the keys.”

The stolen data included names, addresses, zip codes, phone numbers, email addresses, dates of birth, and portions of customer status data such as credit scores and some transaction data, according to Capital One’s press release.

Capital One’s press release also said, bizarrely, that no Social Security numbers or bank account numbers were compromised, then immediately revealed that 140,000 Social Security numbers and 80,000 account numbers were compromised.

Capital One did not immediately respond to a request for comment.

Several experts praised Capital One for its quick response—it took 10 days for the company to disclose the breach after finding it—but some criticized the way the company tried to frame it.

“Like all too many responses to crises of many kinds, Fairbanks’ comment on the breach reads as overly formal and inauthentic,” Ariel Robinson, a cybersecurity consultant and Senior Policy Strategist at Smooth Sailing Solutions, said. “‘Deeply sorry’ from a CEO post-breach—and make no mistake, this *was* a data breach, not just an ‘incident’—is the equivalent of politicians’ ‘thoughts and prayers.’”

It may be too early to tell the full extent of the damage in this data breach. Capital One said in its release, ”we believe it is unlikely that the information was used for fraud or disseminated by this individual.” For now, it seems like Capital One’s response left much to be desired.

Subscribe to our new cybersecurity podcast, CYBER.