It's raining Social Security numbers: Securing the cloud
In March 2019, more than 100 million credit applications and accounts were leaked when a single hacker -- who was arrested three weeks ago -- gained access to Capital One’s cloud storage server. The information was taken from credit card applications submitted to the Virginia-based bank from 2005 to 2019. These included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. While 99 percent of the data was encrypted, 140,000 social security numbers, 80,000 bank account numbers, and roughly 1 million social insurance numbers, the Canadian equivalent of social security numbers, were leaked.
No credit card information or log-in credentials were leaked in the breach. Capital One alerted customers as soon as they found out, corrected their cloud server settings, and offered full credit monitoring to those affected. As Capital One learned how to handle data breaches from witnessing other companies, we can learn from this breach to harden our cybersecurity perimeter.
The Capital One data breach is unique compared to other breaches - the entire breach was carried out by a single perpetrator. Paige Thompson, a former Amazon employee, was able to exploit a misconfigured firewall in order to run administrative commands on Capital One’s AWS cloud server. This allowed her to exfiltrate data – and it would have been hard to discover she was the perpetrator if she hadn’t kept a public record of her hacking exploits on the messaging service Slack, her personal Twitter, and code repository Github. When a Github user alerted authorities of her activity, all of the information posted online allowed them to track her down fairly quickly.
Thompson knew how to navigate cloud storage infrastructure, query and obtain necessary credentials, and take advantage of this specific firewall misconfiguration. Even though she wasn’t working for either Amazon or Capital One at the time of the breach, having that knowledge of the system makes her an insider threat. While insider threat behavior can normally be observed and reported in the workplace, Thompson’s indicators were all online or in private chatrooms, and were reported as soon as her behaviors were noticed. It can be very difficult to stop a malicious actor with in-depth knowledge of a system, which is why making sure all configurations and settings are set up correctly is so important.
Cloud storage is an increasingly attractive option for businesses as it provides high usability and accessibility without the need for a typical corporate data center. When cloud storage is formatted correctly, it also provides regulatory compliance and helps disaster recovery efforts. As more organizations rely on cloud services for data storage, it is important for customers to understand that cloud service providers use a shared responsibility model. Shared responsibility models can vary, but it is possible that the customer can be responsible for network, firewall, and operating system configurations, as well as maintaining their own development platforms.
The Capital One hack was not the fault of the cloud provider, but rather Capital One’s firewall misconfiguration. Other cloud-based hacks, like when Tesla’s Amazon Web Services were compromised in 2018, and the Aadhaar India National ID Database breach that exposed the identity of more than a billion Indian citizens, stemmed from exposed endpoints. Too often, organizations offload cybersecurity requirements onto cloud providers and ignore any security practices they are responsible for maintaining.
Cybersecurity compliance should not be treated like a checklist; by thinking of regulations and requirements as an afterthought, many potential attack vectors can be overlooked. Organizations need to understand what their responsibility is for maintaining security, even when the service is being provided by a third-party. When cybersecurity becomes a focus before a project starts, misconfigurations and mistakes happen less frequently and are caught earlier.
If you were affected by the Capital One data breach, you will receive an email from Capital One where they will offer two years of free credit monitoring and identity protection through TransUnion. You won’t need to reply or click on any embedded links in the email, so make sure you don’t fall for phishing emails requesting personal data to verify or sign you up for the credit monitoring service. You can also monitor your account activity for unusual or suspicious activity. Remember – stay vigilant.