Author Topic: Capital One Reports Data Breach Affecting 100 Million Customers, Applicants  (Read 1832 times)

0 Members and 1 Guest are viewing this topic.

Offline windsmurfTopic starter

  • Frequent Contributor
  • **
  • !
  • Posts: 625
  • Country: us
Hacker is arrested; She hacked into Capital One's Amazon Web Services files and databases; obtained complete credit applications and customer information
https://www.wsj.com/articles/capital-one-reports-data-breach-11564443355?mod=hp_lead_pos1

https://heavy.com/news/2019/07/paige-adele-thompson/
« Last Edit: July 30, 2019, 03:55:03 am by windsmurf »
 

Online EEVblog

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
Meh, just assume that all your information has already been stolen dozens of times already, because it's likely true.
 

Online EEVblog

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
 
The following users thanked this post: ogden

Offline Rick Law

  • Super Contributor
  • ***
  • Posts: 3423
  • Country: us
Be on the look out for strange reversed charges.

A few (5+) years ago, I got a strange $2K charge which was immediately reversed.  Ok, that seem like someone made a mistake and corrected it.  By the charge dates on the statement, about a week later, I was hit with fake charges that isn't reversed: $100 to $200 flower bill, a > $2K charge at a fast food restaurant over a thousand miles away, and a $1K charge from another outlet (forgot what kind of charge).  Looking at the stage of events, I think the $2K reversed charge was the thieve checking out how much this card number is worth at a minimum before selling it for more, or before using it for "the big hit".

* * * *

While on this topic, the following may-be-useful information is for those in the USA:

As some of you might have received phishing (fishing) phone calls - as I did a week or so ago.

I was not available, the voice mail answered and I got half a message: "...There was suspicious activity with your social security number, it will be suspend.  Press 1 for..."

It so happens that Social Security Admin (SSA) office was actually along my way that day, so I decided to drop by.  As suspected, it was fishing.  But the SSA person also informed me that this is actually in their policy: "Federal Government departments, social security admin, we will never call you on the phone.  We always do everything in writing."  (The part underlined is exact verbatim.  The other parts of the sentence is not exact wording but wording to the best of my recollection.)

So, if you got a call from any "Federal Government Department" and you didn't initiate it.  It is probably not a real "Federal Government Department."


 

Offline ogden

  • Super Contributor
  • ***
  • Posts: 3731
  • Country: lv
Not a very smart hacker, posting to forums under her Twitter alias.

Wow! It is striking that fifth-largest U.S. credit-card issuer have network "security" that can be breached by literally "script kiddie". Seems like U.S. have problems in other oversight institutions besides FAA.
 

Offline Rick Law

  • Super Contributor
  • ***
  • Posts: 3423
  • Country: us
Not a very smart hacker, posting to forums under her Twitter alias.

Wow! It is striking that fifth-largest U.S. credit-card issuer have network "security" that can be breached by literally "script kiddie". Seems like U.S. have problems in other oversight institutions besides FAA.

Since Capital One is private, it would be a problem of decision-making by the people in the U.S. -- as oppose to it being a problem US-Government problem as the words "oversight" and "FAA" would imply.

US Government has a role in the bank's money management, but it doesn't have a role in corporate network or computer management.  May be it needs one, may be not.  It doesn't have one for now so it isn't the US Gov's fault.  It is the fault of Capital One's bad management.  We (people in the US) should be more selective in choosing our service providers and let the bad ones die of customer-deprivation.

Incompetence = Bad management = Bad provider.
 

Offline james_s

  • Super Contributor
  • ***
  • Posts: 21611
  • Country: us
While I don't condone hacking, the common practice of throwing the book at the hacker strikes me as more a tactic of deflecting blame, most of which falls squarely on these companies that do not take data security seriously. I think there needs to be enormous fines on companies that are breached like this, something that is on the verge of putting them out of business. Only then they will start to take security very seriously and make it top priority.
 
The following users thanked this post: ve7xen, Ysjoelfir

Offline jpanhalt

  • Super Contributor
  • ***
  • Posts: 3395
  • Country: us
https://heavy.com/news/2019/07/paige-adele-thompson/

Not a very smart hacker, posting to forums under her Twitter alias.

Apparently the hacker wanted to be caught according to local news.
 

Offline jpanhalt

  • Super Contributor
  • ***
  • Posts: 3395
  • Country: us
Capital One became aware of the intrusion on July 17, 2019.  On July 29, 2019 it finally notified its clients and offered its apology for any concerns it may have caused.

The CEO's letter included this clueless comment, "We will notify affected individuals through a variety of channels."  Right. 

That's like a doctor telling a patient, "We'll text you if you have cancer."  What if you don't have a smartphone?

How many years do I need to wait?   There is a simpler solution for me to take, and I hope other concerned individuals will do the same.  BTW, the tone-deaf CEO's name is "Fairbank."  How ironic.



 

Offline Stray Electron

  • Super Contributor
  • ***
  • Posts: 2039
Not a very smart hacker, posting to forums under her Twitter alias.

Wow! It is striking that fifth-largest U.S. credit-card issuer have network "security" that can be breached by literally "script kiddie". Seems like U.S. have problems in other oversight institutions besides FAA.


   Very definitely!  It's about time that the US regulators started hitting these hacked companies to the tune over about $10,000 for every customer record that is stolen.  Then maybe the CEOs would start paying more attention to security and less to saving a few pennies per record by storing them somewhere in the cloud.  I know of several people that have had their identity stolen in a major way and $10,000 wouldn't even begin to cover what ID theft has cost them!
 
The following users thanked this post: jpanhalt

Offline Dundarave

  • Regular Contributor
  • *
  • Posts: 151
  • Country: ca
Not a very smart hacker, posting to forums under her Twitter alias.

Wow! It is striking that fifth-largest U.S. credit-card issuer have network "security" that can be breached by literally "script kiddie". Seems like U.S. have problems in other oversight institutions besides FAA.


   Very definitely!  It's about time that the US regulators started hitting these hacked companies to the tune over about $10,000 for every customer record that is stolen.  Then maybe the CEOs would start paying more attention to security and less to saving a few pennies per record by storing them somewhere in the cloud.  I know of several people that have had their identity stolen in a major way and $10,000 wouldn't even begin to cover what ID theft has cost them!

I think that they should start by attaching executive-level penalties like those of the Sarbanes-Oxley Act, that was created out of the Enron debacle:  CEOs and CFOs (and add CTOs) should be personally held responsible (and thrown in jail for) not doing enough to prevent data hacking, and given jail sentences when it happens.

It’s way too easy to ignore security at the cost of new development, profits, stock option increases, and business expansion rather than spend big bucks on security.  Right now, all you need to do is cross your fingers and have an apology ready.  It’s absolute bullshit, and executives should go to prison for it: that’ll clean it up right quick.
 
The following users thanked this post: Ysjoelfir

Offline jpanhalt

  • Super Contributor
  • ***
  • Posts: 3395
  • Country: us
Not a very smart hacker, posting to forums under her Twitter alias.

Wow! It is striking that fifth-largest U.S. credit-card issuer have network "security" that can be breached by literally "script kiddie". Seems like U.S. have problems in other oversight institutions besides FAA.
   Very definitely!  It's about time that the US regulators started hitting these hacked companies to the tune over about $10,000 for every customer record that is stolen.  Then maybe the CEOs would start paying more attention to security and less to saving a few pennies per record by storing them somewhere in the cloud.  I know of several people that have had their identity stolen in a major way and $10,000 wouldn't even begin to cover what ID theft has cost them!

I think that they should start by attaching executive-level penalties like those of the Sarbanes-Oxley Act, that was created out of the Enron debacle:  CEOs and CFOs (and add CTOs) should be personally held responsible (and thrown in jail for) not doing enough to prevent data hacking, and given jail sentences when it happens.

It’s way too easy to ignore security at the cost of new development, profits, stock option increases, and business expansion rather than spend big bucks on security.  Right now, all you need to do is cross your fingers and have an apology ready.  It’s absolute bullshit, and executives should go to prison for it: that’ll clean it up right quick.

Couldn't agree more.  Chelsea Manning (ne Bradley Manning, https://en.wikipedia.org/wiki/Chelsea_Manning) faced the death penalty and was put in prison for exposing poor security in America's military systems.

I don't condone what she did, but I can understand her desperation.  The same is true in this case.  Paige Thompson is in some respects a hero.  Why was she put in a position of trust after "leaving" Amazon?  Did anyone question her stability? And so forth.   

I have seen similar errors by CEO's who put their blind trust in some favorite and didn't consider facts.   In one case, it almost result in the death of an innocent individual.  CEO's need to get out of the cocktail circle or off the golf courses and be held accountable for EVERYTHING.
 

Offline Rick Law

  • Super Contributor
  • ***
  • Posts: 3423
  • Country: us
...
I think that they should start by attaching executive-level penalties like those of the Sarbanes-Oxley Act, that was created out of the Enron debacle:  CEOs and CFOs (and add CTOs) should be personally held responsible (and thrown in jail for) not doing enough to prevent data hacking, and given jail sentences when it happens.
...
...
It’s absolute bullshit, and executives should go to prison for it: that’ll clean it up right quick.

In this case, which CEO?  Capital One? or Amazon AWS? or Both?
(I am inferring that the "cloud computing company that isn’t identified" in the first quoted paragraph from Bloomberg[1] as AWS.  In the second quoted paragraph, an AWS spokesman confirmed the data was on their server.  What is not confirmed is if it was stolen FROM their server and who did the bad firewall configuration.  After all, it is possible for the data to be stolen en-route to the AWS server before AWS has anything to do with it)

That leads to the firewall - In the Forbes' article[2], they are not pointing the finger at AWS, but on the firewall.  But what kind?
A real or virtual one inside the AWS for Capital One -or- perhaps a virtual firewall inside AWS servers dedicated to Capital one -or- a firewall inside Capital One's own facilities for AWS and other outgoing connections?

Unless it turns out this is a firewall that has nothing to do with AWS, you can even argue this breach is a "cloud enabled breach".  The data was on the cloud (AWS) or on the way to the cloud, the stolen data list was on a cloud (Microsoft GitHub).

This cloud thing is a mess - everyone has some responsibility and thus everyone has some fault.  This case, if it becomes a legal case, may clear up a some of the unknowns regarding liability/legal issues.



------------- References/Links

[1] From Bloomberg article: "Tipster’s Email Led to Arrest in Massive Capital One Breach"
"... ...
In a complaint filed Monday in Seattle, prosecutors said that Thompson accessed the data at various times between March 12 and July 17. A file on her GitHub account, timestamped April 21, contained a list of more than 700 folders and buckets of data, according to prosecutors.

The Capital One data had been stored on servers it contracted from a cloud computing company that isn’t identified, though the charges against Thompson refer to information stored on S3, a reference to Amazon Web Services’ popular data storage software.
...
...
An AWS spokesman confirmed that the company’s cloud had stored the Capital One data that was allegedly stolen, and said it wasn’t accessed through a breach or vulnerability in its systems.
...
...
Capital One has been one of the most vocal advocates for using cloud services among banks.
...
...
“We have embraced the public cloud and are well on our way to migrating our applications and data to the cloud,” Chief Executive Officer Richard Fairbank told analysts on a conference call in April. “We are now considered one of the most cloud forward companies in the world.”
...
..."
Original Bloomberg Article:https://www.bloomberg.com/news/articles/2019-07-30/tipster-s-email-led-to-arrest-in-massive-capital-one-data-breach


[2] From Forbes article: "Will Capital One's 106M Name Data Breach Cut Into AWS's Growth?"

"... ... ... Capital One said that the breach was not the fault of AWS. Instead, Capital One had “improperly configured a firewall” — a problem that Capital One fixed when the company discovered it, according to Bloomberg. Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual.”... ... ... "
Link: https://www.forbes.com/sites/petercohan/2019/07/30/will-capital-ones-106m-name-data-breach-cut-into-awss-growth/


 

Offline Dundarave

  • Regular Contributor
  • *
  • Posts: 151
  • Country: ca

In this case, which CEO?  Capital One? or Amazon AWS? or Both?


Capital One is solely responsible for the storage and security of the data that they collect from their customers.  They can choose to store it in a shoebox, on their own servers, or use a third-party sevice to do so, but they (nor any other such organization) cannot escape their liability responsibilities by trying to point the finger at a third party vendor.  The CEO is free to sue his/her 3rd party leaky storage vendor from their jail cell for breach of contract, but in this case, it’s on Capital One alone to protect their customers data, not AWS.
 

Offline raptor1956

  • Frequent Contributor
  • **
  • Posts: 868
  • Country: us
It looks like the hacker may have exploited knowledge about AWS from her time working for them so although Capital One is mostly responsible I would not rule out some legal jeopardy for Amazon.


Brian
 

Offline ve7xen

  • Super Contributor
  • ***
  • Posts: 1192
  • Country: ca
    • VE7XEN Blog
While I don't condone hacking, the common practice of throwing the book at the hacker strikes me as more a tactic of deflecting blame, most of which falls squarely on these companies that do not take data security seriously. I think there needs to be enormous fines on companies that are breached like this, something that is on the verge of putting them out of business. Only then they will start to take security very seriously and make it top priority.

Absolutely. And from what little technical detail has been provided, it really sounds to me like no actual 'hacking' took place here, and that the data was just sitting there for the taking. At what point does accessing an unsecured resource become hacking? Going after people in those situations is not only ineffective at reducing the frequency of breaches, but also creates a bit of a dangerous legal situation where merely accessing something nobody gave you explicit permission to access could be a serious crime.

I'm not sure she should get off Scott free, particularly if she distributed the data or made moves to do so, but it's also looking like the blame for this lies squarely elsewhere, and there needs to be some motivation applied at those levels.
73 de VE7XEN
He/Him
 

Offline retiredcaps

  • Super Contributor
  • ***
  • Posts: 3575
  • Country: ca
Details of how they caught Paige filed as per court documents.

https://regmedia.co.uk/2019/07/29/capital_one_paige_thompson.pdf

I don't know how the IT group works at Capital One, but when I make changes to my home router either by upgrading software or to a new 3rd party firmware, I always test it before deployment.
 

Offline ogden

  • Super Contributor
  • ***
  • Posts: 3731
  • Country: lv
US Government has a role in the bank's money management, but it doesn't have a role in corporate network or computer management.

How about NY state regulation (pdf document)?

https://digitalguardian.com/blog/what-nydfs-cybersecurity-regulation-new-cybersecurity-compliance-requirement-financial
 

Offline Stray Electron

  • Super Contributor
  • ***
  • Posts: 2039

    >>> big snip
...
Capital One has been one of the most vocal advocates for using cloud services among banks.
...
...
“We have embraced the public cloud and are well on our way to migrating our applications and data to the cloud,” Chief Executive Officer Richard Fairbank told analysts on a conference call in April. “We are now considered one of the most cloud forward companies in the world.”
...
..."
Original Bloomberg Article:https://www.bloomberg.com/news/articles/2019-07-30/tipster-s-email-led-to-arrest-in-massive-capital-one-data-breach


[2] From Forbes article: "Will Capital One's 106M Name Data Breach Cut Into AWS's Growth?"

"... ... ... Capital One said that the breach was not the fault of AWS. Instead, Capital One had “improperly configured a firewall” — a problem that Capital One fixed when the company discovered it, according to Bloomberg. Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual.”... ... ... "
Link: https://www.forbes.com/sites/petercohan/2019/07/30/will-capital-ones-106m-name-data-breach-cut-into-awss-growth/

   So. The short version is that CEO decides to save money by getting rid of his company's IT and storing the records elsewhere but he cut his IT support so much that no one could properly configure the firewall.  That sounds criminal negligence to me since it was his and his company's fiduciary responsibility to safeguard their client's and customer's data. 
 

Offline Rick Law

  • Super Contributor
  • ***
  • Posts: 3423
  • Country: us
US Government has a role in the bank's money management, but it doesn't have a role in corporate network or computer management.

How about NY state regulation (pdf document)?

https://digitalguardian.com/blog/what-nydfs-cybersecurity-regulation-new-cybersecurity-compliance-requirement-financial

Each State has their own laws and they are not always the same across different States.  US Code (law) would govern all of USA regardless of State.   "FAA" (in the quotes I was first replying to) is a US Federal Government applicable to all States.  It is in that context to which my reply applies.

Differences in State laws cause interesting things...   For example, New Jersey and New York are two States that differs from the rest of the country in how it defines death legally.  Both NJ and NY require heart and lung to stop in addition to just brain dead for a person to be legally dead in NJ and NY.

So you put a brain-dead but heart still beating person in a car and drove him from Pennsylvania to Connecticut, you would start off with a legally dead guy in PA, once you cross into NY (or NJ), you have a living legally person, then when you cross from NY into CT, the person is legally dead again.  Kind of like Schodinger's cat here.   If right on the bridge between NY and PA on Interstate 95 and you shoot the guy in the heart causing heart/lung stoppage - well, a few feet more (or less) along the way would make a difference between what would legally be murder vs abuse of a corpse.
 

Offline Rick Law

  • Super Contributor
  • ***
  • Posts: 3423
  • Country: us
...
What is not confirmed is if it was stolen FROM their server and who did the bad firewall configuration.  After all, it is possible for the data to be stolen en-route to the AWS server before AWS has anything to do with it)

That leads to the firewall - In the Forbes' article[2], they are not pointing the finger at AWS, but on the firewall.  But what kind?
A real or virtual one inside the AWS for Capital One -or- perhaps a virtual firewall inside AWS servers dedicated to Capital one -or- a firewall inside Capital One's own facilities for AWS and other outgoing connections?
...

New info for the stuff I cited as unknows in my earlier reply re-quoted above - it is now known...

Where the data was taken and the location of the configured firewall are disclosed in this news article below published just earlier today.  Data downloaded from AWS machine(s) and the firewall are for those AWS machines.  From the totality of the article, I would infer that the firewalls are likely on AWS premises.

The fact that Thompson was x-Amazon employee (thus knowing the vulnerability of their systems), data download from AWS machines, mis-configured firewall for those AWS machines...  I think their legal liability for AWS is on the increase...


From USA Today:
"... ...Thompson's résumé says she worked at Amazon from May 2015 to September 2016, and listed her job as a systems engineer who worked on S3 or Amazon Simple Storage Service, which the company says is its platform for storing "data for millions of applications for companies all around the world."

Her online credentials and internet protocol addresses were found to be involved with accessing a server, which had a misconfigured firewall, and with downloading data in March 2019 from Capital One's storage space on Amazon's cloud system, according to the filing."

Link to article:https://www.usatoday.com/story/money/business/2019/07/30/suspect-behind-capital-one-data-breach-may-have-more/1865848001/
 

Offline ogden

  • Super Contributor
  • ***
  • Posts: 3731
  • Country: lv
Differences in State laws cause interesting things...   For example, New Jersey and New York are two States that differs from the rest of the country in how it defines death legally.  Both NJ and NY require heart and lung to stop in addition to just brain dead for a person to be legally dead in NJ and NY.

So you put a brain-dead but heart still beating person in a car and drove him from Pennsylvania to Connecticut, you would start off with a legally dead guy in PA, once you cross into NY (or NJ), you have a living legally person, then when you cross from NY into CT, the person is legally dead again.  Kind of like Schodinger's cat here.   If right on the bridge between NY and PA on Interstate 95 and you shoot the guy in the heart causing heart/lung stoppage - well, a few feet more (or less) along the way would make a difference between what would legally be murder vs abuse of a corpse.

Thanx! Quite a vivid picture of state law differences  8)
 

Online EEVblog

  • Administrator
  • *****
  • Posts: 37661
  • Country: au
    • EEVblog
While I don't condone hacking, the common practice of throwing the book at the hacker strikes me as more a tactic of deflecting blame, most of which falls squarely on these companies that do not take data security seriously. I think there needs to be enormous fines on companies that are breached like this, something that is on the verge of putting them out of business. Only then they will start to take security very seriously and make it top priority.

Absolutely. And from what little technical detail has been provided, it really sounds to me like no actual 'hacking' took place here, and that the data was just sitting there for the taking. At what point does accessing an unsecured resource become hacking? Going after people in those situations is not only ineffective at reducing the frequency of breaches, but also creates a bit of a dangerous legal situation where merely accessing something nobody gave you explicit permission to access could be a serious crime.

I'm not sure she should get off Scott free, particularly if she distributed the data or made moves to do so, but it's also looking like the blame for this lies squarely elsewhere, and there needs to be some motivation applied at those levels.

Yes, once you download the data, that becomes an actionable intent, and once you publish it elsewhere that becomes distribution of private infromation, and once you take credit for it that potentially becomes a tangible gain (even if not financial, but reputation).
She knew the data was personal information and she took it, even if it was out in the open for the taking. She's still in trouble, but at least her defense will have something to work with.
What if she just published the link?  :-//
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf