Virginia-Based Capital One Hacked

Who let the dogs data out?  McLean-based Capital One has been hacked in one of the largest data breaches ever. A single hacker with apparent mental health issues managed to copy 100 million credit card applications and accounts. The seeming ease with which the hacker compromised what should have been ironclad security is shocking. The bank’s stumbling and fumbling explanations of what happened have not helped Capital One’s cause.

The hacker who couldn’t shoot straight.  The FBI has arrested 33-year-old Seattle resident Paige Thompson in connection with the data breach. Ms Thompson, who goes by the online name of “erratic,” made so many mistakes that her capture was tantamount to turning herself in. Slate reports, “According to a federal indictment, Thompson posted the data she pilfered on her GitHub profile on April 21, where she had also uploaded her résumé with her full name listed and details about her employment history.” Erratic indeed … not exactly up to the standards of Frank Abagnale. Ms. Thompson also posted her interest in euthanizing her cat and committing herself to a mental institution on social media.

Don’t blame the cloud. The Capital One data was resident on a storage service provided by cloud vendor Amazon Web Services (AWS). While Ms Thompson did work for Amazon Web Services in the past, AWS has refused to accept any blame for the hack. From early descriptions of how the breach occurred it seems that AWS is correct in asserting that it is not to blame. If I were an AWS spokesman (and I am not), I would say, “We make excellent doors, locks and keys. However, if a homeowner leaves the door open and tapes the keys to the outside of the door they should not expect much in the way of security.”

Anatomy of the hack. Details are still somewhat sketchy but the FBI complaint provides more information than usual in situations like this. Some would say the following discussion of what happened is premature (aka “the Benghazi defense”). I disagree. This is a big bank entrusted with very sensitive information. Their actions need to be examined now. Without getting “into the weeds” on how AWS works and the apparent deficiencies in Capital One’s security measures, this is what happened (for more detailed analyses, look here and here):

  1. Capital One was running some of its application base on AWS. This included leasing compute instances, firewalls and storage from Amazon. Like all public cloud providers AWS leaves it up to the customer to configure the security of the components they are leasing. Properly configured, AWS is a very secure environment.
  2. A firewall designed to prevent unauthorized access to Capital One’s environment was misconfigured (presumably by Capital One). This was the open door that allowed Ms Thompson access to a system she should never have been able to penetrate.
  3. Once inside the perimeter of the Capital One “system,” Thompson somehow gained access to the credentials which describe what legitimate Capital One users are allowed to do within this “system”.
  4. The compromised credentials allowed read access to data stored in AWS’ Simple Storage Solution (S3) service. This is where the credit card applications, account data, etc. was being stored by Capital One. Thompson used these credentials to read and copy the data.
  5. Some of the data were encrypted and some were not. According to the Seattle Times, “Most of the data copied from Capital One’s data folders between March and July were primarily credit-card applications and while some of it, such as Social Security numbers, had been encrypted, other information — including names, addresses, dates of birth, and credit-history information — was not …” As will be discussed later it seems that none of the data was effectively encrypted.

Capital One’s bumbling public commentary. Capital One has done itself no favors in its post-breach commentary. e-Radio.USa has an excellent article on the matter.  “I am deeply sorry for what has happened,” Richard Fairbank, the CEO of Capital One, said in a Capital One press release. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.” On the heels of the Equifax breach this is simply inadequate. As others have said, this corporate-speak comment sounds a lot like the “thoughts and prayers” offered by politicians to the families of mass shooting victims. America doesn’t need your apologies Mr. Fairbank – we need to know what the hell you’re going to do to stop this from ever happening again. As far as calling this an “incident” … are you kidding? This was a massive breach.

Capital One also blurted out some babble-talk about encryption. In its press release announcing the incident, Capital One wrote, “We encrypt our data as a standard. Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data.” This is the equivalent of taping the keys to the door on the front of the door. The data was encrypted but accessing it decrypted the data? Once again I ask … are you kidding?

As e-Radio.USa notes, “Capital One’s press release also said, bizarrely, that no Social Security numbers or bank account numbers were compromised, then immediately revealed that 140,000 Social Security numbers and 80,000 account numbers were compromised.”

The breach happened in March. Capital One was unaware until they got an e-mail tip that the breach happened. That was ten days ago. One would have thought that in ten days the company could have at least gotten its corporate messaging straightened out. Apparently not.

Going forward. Congress will undoubtedly hold hearings on this data breach. That will be just as ineffective as the hearings held in the aftermath of the Equifax breach. There may even be some comments made during the Democratic primary debate tonight. However, that re-interpretation of the Star Wars Cantina Scene has even a lesser chance of accomplishing anything than Congressional hearings. But what about our state government? New York has already announced an investigation into the data breach. This is a Virginia company, born in Richmond and migrated to Northern Virginia. Perhaps our attorney general ought to wipe the shoe polish from his eyes and launch his own investigation.

— Don Rippert

There are currently no comments highlighted.

16 responses to “Virginia-Based Capital One Hacked

  1. I know it’s not what you intended me to notice, but “that re-interpretation of the Star Wars Cantina Scene”– that’s just brilliant. That’s one of the funniest things I’ve heard in days. Thank you for that!

    As to the actual thrust of the article; well, yeah. This is exactly what we should expect to happen having computerized our financial system and used network technology to do it. There’s nothing surprising about this. Sure, Capital One is clearly incompetent, but this is just a natural, normal consequence of using computer network technology the way our society has… well, not so much _chosen_ as absent-mindedly backed into. You can expect many, many, many more repetitions of this.

    • Ha ha. I wish I could claim to have dreamed up the “Star Wars Cantina Scene” line myself but I heard it somewhere else. I just can’t remember where and when. Guess I’m having a “Biden moment”. It may have been LarrytheG from some long ago Republican primary.

      Cars are going to crash. People are going to get hurt. Some will die. However, that doesn’t mean we stop working to improve car safety. As more of society automates there needs to be ever more attention paid to cybersecurity. Capital One does sound incompetent with this breach. Maybe we need to stop tolerating incompetence.

      • Rush Limbaugh uses “the Star Wars bar scene” descriptor on almost a daily basis when referring to various assemblies of odd folk. Been doing so for decades.

  2. What frustrates me is that there will be no meaningful consequences for the company. Oh, it will be fined and have to reimburse its cardholders, but it will just write those expenses off its taxes or pass them along to its customers somehow. Perhaps, the Virginia banking regulators could cancel the company’s license to do business, due to its incompetence. I certainly hope some IT heads will roll. I doubt if the salary and bonus for the chairman of the board or CEO will suffer. You would think the general public would all cut up their card as a result of this, but it seems that the public is most forgiving of large financial corporations. After all, Wells Fargo is still in business.

    • Nothing will happen to Capital One. Equifax was fined an amount equal to 20% of an average year’s revenue. About as painful as having a band-aid pulled off your arm. What happened to the banksters who caused the so-called Great Recession? Nothing. The people’s hero – Barry Obama – and his malevolent henchman Eric Holder did nothing. Where was the liberal outcry over that? At least GW Bush put corporate miscreants in jail. Ask Bernie Ebbers. He’s still in the pokey. What did Obama do? Took a small fortune in money for giving speeches to banks immediately after he left the White House ….

      https://www.bbc.com/news/world-us-canada-39710529

      Should executives from Capital One go to jail? Probably not. However, they should be banned from working in banking.

  3. So…. What will Virginia state government do about this?

    Given the powers available to them and the complexity of the issues, is there anything that the General Assembly, and/or Gov. Northam and/or Attorney General Herring can do?

    • Well, New York has launched an investigation so I guess they think there is something to be done.

      In Virginia you need a license to be a hairdresser or barber. Why not a license to be in IT at a financial institution? Demand certification of competence.

      Blackface Herring could sue on behalf of the Virginians who lost personal data in this breach. Why not? I don’t want to see Capital One bankrupt but I do want to see a message sent.

      Coonman T. Blackface (our governor) is a lost cause. I’m sorry but the man just isn’t bright enough to be governor. Hell, he’s not bright enough to be a crossing guard in front of an elementary school. Being a Virginian right now is like being a Baltimore Orioles fan (which I am). You just have to suck it up and hope for better days to come.

  4. A powerful commentary, Don.

    And what will Virginia’s government, or America’s Federal government, do?

    Absolutely nothing, save shout racist slurs on the heads of the dead all day long at remembrance of first Burgess session held 400 years ago.

    What a gaggle of ridiculous clowns Virginia has for leaders today.

    • Reed:

      I agree. Coonman T. Blackface (our governor) disbanded the Secretary of Technology as a cabinet position.

      https://statescoop.com/virginia-governor-elect-will-disband-technology-secretary-role/

      When we elect buffoons we get buffoonery.

      There is probably nothing more important than understanding and managing the impact of technology on society right now. We’ve seen manipulated elections, deepfake videos, hacked private information, plane crashes rumored to be caused by software, etc. Yet Coonman thinks technology shouldn’t be a top level issue.

      We can’t just keep electing half-wits and expect good results. Herring is a dilettante but he seems to have something on the ball. Maybe he’ll take some appropriate action.

  5. Well… how many businesses are broken into, banks robbed, etc despite locks, cameras, fences, etc?

    I’m not absolving them of the hack but DJ here knows the reality of computing systems and what it takes to secure them and it aint that easy – it takes real professionals who cost big bucks and many companies choose “geek” types who are prone to short-cuts and kluges to get the job done and the folks they report to don’t know _hit from shinola in terms of the actual system and security configuration and it don’t take much in the way of power-point slides to convince the higher-ups that “all is well” until of course the guano hits the fan and the guys who kluged the system are gone and new guys struggle with undocumented changes to the system.

    Keep in mind also – that the US govt , the Justice Dept – the FBI is OPPOSED to the use of encryption on computers and phones because it makes it harder for them to snoop on the bad guys and hackers!

    A wise contractor once told me that you could have system security – good or cheap – and the reality is – good security is not cheap and it’s not what is known as a ‘profit center’.

    I have to say, I have some serious concerns with the govt determining what security should be on non-govt systems.

    • Oh, I know the details all too well. The DOJ isn’t really opposed to encryption. They just want a back door for themselves.

      “I have to say, I have some serious concerns with the govt determining what security should be on non-govt systems.”

      But government should be able to not only require that cars have seat belts but also require that people wear them? There’s a two mile section of Old Dominion Dr in Northern Virginia where government requires that I turn on my headlights – in the middle of the day. If I possess a plant called marijuana government (in Virginia) can send me to jail. But government has no role in assuring that banks protect my personal data? You need training, a license and certification to be a hairdresser in Virginia but no requirements to be in IT at a bank? What’s worse – a bad haircut or losing your money in a hack?

  6. FYI – (from the liberal media rags): ” Already this year, there have been 3,494 successful cyberattacks against financial institutions, according to reports filed with the Treasury Department’s Financial Crimes Enforcement Network.”

    Same thing happens to government websites. Every day, a barrage of attacks occur – and every now and then, one of them succeeds – and it’s usually because the admins did not apply the latest patch or they failed to configure the machine properly or they did configure it properly but a hacker found another way in that the creator of the firewall or machine software had not yet devised a patch for.

    Computer/network security today is not some once-a-week task It’s a 24/7 task where, for instance, every morning, first thing, you check the system files to see what has changed and what the logs show as to who accessed a system file. It’s boring work until something goes sideways and all heck breaks loose.

    When you are a financial institution, it’s not like you are running a blog where things go sideways and it’s an inconvenience – every single penny for every single account holder has to be right and if it’s not – you can forget being a financial institution – people will flee as fast as they can.

    The next time you log in to your financial institution – think about this. What’s on that computer screen is all you have for assurances that your money is secure.

    • Larry,

      Your last comment summed it up. That is why I refuse to do on-line banking.

    • Not all cyberattacks are created equal. Losing data on 106 million people is the Chernobyl of cyberattacks. Go into your bank and ask to see the lockbox where your personal money is kept. There is no lockbox, you have no personal money. The wealth of America is nothing more than a series of ones and zeroes in the databases of financial institutions. Lose that and you have chaos, anarchy, starvation … basically a Mad Max world. It’s that serious. The sons and daughters of bitches who run America’s financial institutions need to be held to account. They make ridiculous amounts of money, it’s high time they started earning it.

  7. I held out for a while, but it is so convenient, and here in Richmond the USPS remains totally untrustworthy. A couple of bills didn’t arrive, or payments got waylaid – doesn’t happen with the on line bill pay. I do it only from the home computer, never out and about.

Leave a Reply