Virginia-Based Capital One Hacked

Who let the dogs data out?  McLean-based Capital One has been hacked in one of the largest data breaches ever. A single hacker with apparent mental health issues managed to copy 100 million credit card applications and accounts. The seeming ease with which the hacker compromised what should have been ironclad security is shocking. The bank’s stumbling and fumbling explanations of what happened have not helped Capital One’s cause.

The hacker who couldn’t shoot straight.  The FBI has arrested 33-year-old Seattle resident Paige Thompson in connection with the data breach. Ms Thompson, who goes by the online name of “erratic,” made so many mistakes that her capture was tantamount to turning herself in. Slate reports, “According to a federal indictment, Thompson posted the data she pilfered on her GitHub profile on April 21, where she had also uploaded her résumé with her full name listed and details about her employment history.” Erratic indeed … not exactly up to the standards of Frank Abagnale. Ms. Thompson also posted her interest in euthanizing her cat and committing herself to a mental institution on social media.

Don’t blame the cloud. The Capital One data was resident on a storage service provided by cloud vendor Amazon Web Services (AWS). While Ms Thompson did work for Amazon Web Services in the past, AWS has refused to accept any blame for the hack. From early descriptions of how the breach occurred it seems that AWS is correct in asserting that it is not to blame. If I were an AWS spokesman (and I am not), I would say, “We make excellent doors, locks and keys. However, if a homeowner leaves the door open and tapes the keys to the outside of the door they should not expect much in the way of security.”

Anatomy of the hack. Details are still somewhat sketchy but the FBI complaint provides more information than usual in situations like this. Some would say the following discussion of what happened is premature (aka “the Benghazi defense”). I disagree. This is a big bank entrusted with very sensitive information. Their actions need to be examined now. Without getting “into the weeds” on how AWS works and the apparent deficiencies in Capital One’s security measures, this is what happened (for more detailed analyses, look here and here):

  1. Capital One was running some of its application base on AWS. This included leasing compute instances, firewalls and storage from Amazon. Like all public cloud providers AWS leaves it up to the customer to configure the security of the components they are leasing. Properly configured, AWS is a very secure environment.
  2. A firewall designed to prevent unauthorized access to Capital One’s environment was misconfigured (presumably by Capital One). This was the open door that allowed Ms Thompson access to a system she should never have been able to penetrate.
  3. Once inside the perimeter of the Capital One “system,” Thompson somehow gained access to the credentials which describe what legitimate Capital One users are allowed to do within this “system”.
  4. The compromised credentials allowed read access to data stored in AWS’ Simple Storage Solution (S3) service. This is where the credit card applications, account data, etc. was being stored by Capital One. Thompson used these credentials to read and copy the data.
  5. Some of the data were encrypted and some were not. According to the Seattle Times, “Most of the data copied from Capital One’s data folders between March and July were primarily credit-card applications and while some of it, such as Social Security numbers, had been encrypted, other information — including names, addresses, dates of birth, and credit-history information — was not …” As will be discussed later it seems that none of the data was effectively encrypted.

Capital One’s bumbling public commentary. Capital One has done itself no favors in its post-breach commentary. e-Radio.USa has an excellent article on the matter.  “I am deeply sorry for what has happened,” Richard Fairbank, the CEO of Capital One, said in a Capital One press release. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.” On the heels of the Equifax breach this is simply inadequate. As others have said, this corporate-speak comment sounds a lot like the “thoughts and prayers” offered by politicians to the families of mass shooting victims. America doesn’t need your apologies Mr. Fairbank – we need to know what the hell you’re going to do to stop this from ever happening again. As far as calling this an “incident” … are you kidding? This was a massive breach.

Capital One also blurted out some babble-talk about encryption. In its press release announcing the incident, Capital One wrote, “We encrypt our data as a standard. Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data.” This is the equivalent of taping the keys to the door on the front of the door. The data was encrypted but accessing it decrypted the data? Once again I ask … are you kidding?

As e-Radio.USa notes, “Capital One’s press release also said, bizarrely, that no Social Security numbers or bank account numbers were compromised, then immediately revealed that 140,000 Social Security numbers and 80,000 account numbers were compromised.”

The breach happened in March. Capital One was unaware until they got an e-mail tip that the breach happened. That was ten days ago. One would have thought that in ten days the company could have at least gotten its corporate messaging straightened out. Apparently not.

Going forward. Congress will undoubtedly hold hearings on this data breach. That will be just as ineffective as the hearings held in the aftermath of the Equifax breach. There may even be some comments made during the Democratic primary debate tonight. However, that re-interpretation of the Star Wars Cantina Scene has even a lesser chance of accomplishing anything than Congressional hearings. But what about our state government? New York has already announced an investigation into the data breach. This is a Virginia company, born in Richmond and migrated to Northern Virginia. Perhaps our attorney general ought to wipe the shoe polish from his eyes and launch his own investigation.

— Don Rippert