106 million US and Canadian Capital One accounts compromised
Former AWS engineer, named as Paige Thompson, arrested over Capital One security breach that took advantage of a misconfigured firewall to access accounts stored in S3 bucket
Capital One has warned that the personal information of 106 million Americans and Canadians have been exposed in a data breach that occurred in March and April this year.
A former Amazon Web Services (AWS) software engineer, named as Paige Thompson, has been arrested in connection with the breach. She appeared in court on Monday, charged with computer fraud and abuse. She faces up to five years in prison and a fine of up to $250,000.
She recognises that she has acted illegally
The compromised data includes 140,000 all-important US Social Security numbers, one million Canadian Social Insurance numbers and bank account details of 80,000 American customers. In addition, names, addresses, dates of birth, credit scores and details relating to Capital One credit card balances were also compromised.
The bank admitted the breach late on Monday. "Based on our analysis to date, this event affected approximately 100 million individuals in the US and approximately six million in Canada," Capital One admitted in a statement. "No credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised."
It continued: "The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019.
Based on our analysis to date, this event affected approximately 100 million individuals in the US
"This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income."
However, questions remain over Capital One's security and breach notification procedures.
The security breach reportedly occurred on Friday 22 March and Saturday 23 March this year, with data exfiltrated in April. But the bank only became aware of the breach when it was alerted by an email from Thompson on 17 July this year. Earlier this month, Thompson posted information about the theft on her personal GitHub account.
Additional evidence linking Thompson to the attack includes the IP addresses used to post data on GitHub and statements made by Thompson on social media indicating that she had information on Capital One. "She recognises that she has acted illegally," the court documents add.
Following the email of 17 July, Capital One determined that the firewall protecting a specific server running on AWS had been misconfigured.
An investigation by Capital One indicated that Thompson had been able to obtain credentials for an administration account, had searched for the names of folders or data buckets on Capital One's storage space on AWS, and extracted and exfiltrated data.
The information Capital One was able to determine was vulnerable due to the firewall misconfiguration corresponded to the data spilt on Thompson's GitHub page.
Capital One has been engaged in a five-year project to shift its core applications over to AWS, a move that the bank's CIO, Rob Alexander, said would help the company to become more agile. "
Technology is going to play a central role in the future of banking as we move toward an experience that is real-time, digital-first, and that anticipates customer needs," he told Computing in 2016.
It has also recently adopted DevOps development methodologies and even put together its own visualisation tools based on MongoDB.