Information Systems

profilejtaylor72
CapitalOneABigBankHeistfromtheCloud.pdf

Capital One: A Big Bank Heist from the Cloud

Capital One Financial Corporation is an American bank holding company specializing in credit cards, auto

loans, banking, and savings accounts. It is the eleventh largest bank in the United States in terms of

assets and an aggressive user of information technology to drive its business. Capital One was an early

adopter of cloud computing and a major client of Amazon Web Services (AWS). Capital One has been

trying to move more critical parts of its IT infrastructure to Amazon’s cloud infrastructure in order to

focus on building consumer applications and other needs.

On July 29, 2019, Capital One and its customers received some very bad news. Capital One had been

breached, exposing over 140,000 Social Security numbers, 80,000 bank account numbers, tens of

millions of credit card applications, and one million Canadian social insurance numbers (equivalent to

Social Security numbers in the US). It was one of the largest thefts of data ever from a bank.

The culprit turned out to be Paige Thompson, a former employee of Amazon Web Services, which

hosted the Capital One database that was breached. Thompson was arrested in Seattle and charged

with one count of computer fraud and abuse. She had worked for the same server business that court

papers said Capital One was using. Thompson could face up to five years in prison and a $250,000 fine.

The bank believed it was unlikely that Thompson disseminated the information or used it for fraud. But

it will still cost the bank up to $150 million, including paying for credit monitoring of affected customers.

Amazon Web Services hosts remote servers that organizations use to store their data. Large enterprises

such as Capital One build their own web applications using Amazon’s cloud servers and data storage

services data so they can use the information for their specific needs.

The F.B.I. agent investigating the breach reported that Ms. Thompson had gained access to Capital One’s

sensitive data through a “misconfiguration” of a firewall on a web application. (A firewall monitors

incoming and outgoing network traffic and blocks unauthorized access.) This allowed her to

communicate with the server where Capital One was storing its data and customer files. Capital One

stated it had immediately fixed the configuration vulnerability once it had been detected. Amazon said

its customers fully control the applications they build and that it had found no evidence that its

underlying cloud services had been compromised.

Thompson was able to access and steal this sensitive information only because Capital One had

misconfigured its Amazon server. Thompson could then trick a system in the cloud to uncover the

credentials she needed to access Capital One’s customer records. Thompson’s crime was considered an

insider threat, since she had worked at Amazon years earlier. However, outsiders also try to search for

and exploit this type of misconfiguration, and server misconfigurations are commonplace.

Misconfigurations are also easily fixed, so many do not consider them a breach. Sometimes it’s difficult

to determine whether tinkering with misconfigurations represents a criminal activity or security

research.

Thompson was able to tap into Amazon’s metadata service, which has the credentials and other data

required to manage servers in the cloud. Ms. Thompson ran a scan of the Internet to identify vulnerable

computers that could provide access to a company’s internal networks. She found a computer managing

communications between Capital One’s cloud and the public Internet that had been misconfigured, with

weak security settings. Through that opening Thompson was able to request the credentials required to

find and read Capital One data stored in the cloud from the metadata service. Once Thompson located

the Capital One data, she was able to download them without triggering any alerts. Thompson also

boasted online that she had used the same techniques to access large amounts of online data from

other organizations.

Amazon has stated that none of its services, including the metadata service, were the cause of the

break-in and that AWS offers monitoring tools for detecting this type of incident. It is unclear why none

of these alerting tools triggered an alarm when Thompson was hacking into Capital One. Thompson

began hacking Capital One on March 12, 2019, but went undetected until an outside researcher tipped

off Capital One 127 days later. According to C. J. Moses, deputy chief information security officer for

AWS, Amazon restricts most staff members from accessing its broader internal infrastructure in order to

protect against “witting or unwitting” data breaches.

Security professionals have known about misconfiguration problems and the ability to steal credentials

from the metadata service since at least 2014. Amazon believes it is the customer’s responsibility to

solve them. Some customers have failed to do so. When security researcher Brenton Thomas conducted

an Internet scan in February 2019, he found more than 800 Amazon accounts that allowed similar access

to the metadata service. (Amazon’s cloud computing service has over one million users.) But Thomas

also found other cloud computing companies with misconfigured services as well, including Microsoft’s

Azure cloud.

Whatever the cloud service, the pool of talent capable of launching similar attacks is expanding. Given

the nature of cloud services, any person who has worked on developing technology at any of the major

cloud computing companies can learn how these systems work inpractice.

Capital One had a reputation for strong cloud security. The bank had conducted extensive due diligence

before deciding to move to cloud computing in 2015. However, before the giant data breach, Capital

One employees had raised concerns internally about high turnover in the company’s cybersecurity unit

and tardiness in installing some software to help spot and defend against hacks. The cybersecurity unit is

responsible for ensuring Capital One’s firewalls are properly configured and for scanning the Internet for

evidence of a data breach. In recent years there have been many changes among senior leaders and

staffers. About a third of Capital One’s cybersecurity employees left the company in 2018.