Capital One breach exposes over 100 million credit card applications

Capital One breach exposes over 100 million credit card applications

Just as we were wrapping up the aftermath of the Equifax breach—how was that already two years ago?—we are confronted with yet another breach of about the same order of magnitude.

Capital One was affected by a data breach in March. The hacker gained access to information related to credit card applications from 2005 to early 2019 for consumers and small businesses. According to the bank the breach affected around 100 million people in the United States and about 6 million people in Canada.

What’s very different in this breach is that a suspect has already been apprehended. On top of that, the suspect admitted she acted illegally and disclosed the method she used to get hold of the data. From the behavior of the suspect you would almost assume she wanted to get caught. She put forth only a minimal effort to hide her identity when she talked about having access to the data, almost bragging online about how much she had been able to copy.

What happened?

A former tech company software engineer that used to be employed by Amazon Web Services (AWS) was storing the information she gained from the breach in a publicly accessible repository. AWS is the cloud hosting company that Capital One was using. From the court filings we may conclude that Paige Thompson used her hands-on knowledge of how AWS works and combined it with exploiting a misconfigured web application firewall. As a result, she was able to copy large amounts of data from the AWS buckets. She posted about having this information on several platforms which lead to someone reporting the fact to Capital One. This led to the investigation of the breach and the arrest of the suspect.

How should Capital One customers proceed?

Capital One has promised to reach out to everyone potentially affected by the breach and to provide free credit monitoring and identity protection services. While Capital One stated that no log-in credential were compromised, it wouldn’t hurt to change your password if you are a current customer or you recently applied for a credit card with the company. For other useful tips, you can read our blogpost about staying safe in the aftermath of the Equifax breach. You will find a wealth of tips to stay out of the worst trouble. Also be wary of the usual scams that will go online as spin-offs from this breach.

What can other companies learn from this incident?

While the vulnerability has been fixed, there are other lessons to be learned from this incident.

Even though it is impractical for companies the size of Capital One to run their own web services, we can ask ourselves if all of the sensitive information needs to be stored in a place where we do not have full control. Companies like Capital One use these hosting services for scalability, redundancy, and protection. One of the perks is that employees all over the world can access, store, and retrieve any amount of data. This can also be the downside in cases of disgruntled employees or misconfigured Identity & Access Management (IAM) services. Anyone that can successfully impersonate an employee with access rights can use the same data for their own purposes. Amazon Elastic Compute Cloud (EC2) is a web-based service that allows businesses to run application programs in the AWS public cloud. When you run the AWS Command Line Interface from within an Amazon EC2 instance, you can simplify providing credentials to your commands. From the court filings it looks as if this is where the vulnerability was exploited for.

Companies using AWS and similar cloud hosting services should pay attention to:

  • IAM provisioning: Be restrictive when assigning IAM roles so access is limited to those that need it and taken away from those that no longer need it.
  • Instance metadata: Limit access to EC2 metadata as these can be abused to assume an IAM role with permissions that do not belong to the user.
  • Comprehensive monitoring: While monitoring is important for every server and instance that holds important data, it is imperative to apply extra consideration to those that are accessible via the internet. Alarms should have gone off as soon as TOR was used to access the EC2.
  • Misconfigurations: If you do not have the in-house knowledge or want to doublecheck, there are professional services that can scan for misconfigured servers.

Ironically, Capital One has released some very useful open source tools for AWS compliance and has proven to have the in-house knowledge. Capital One has always been more on the Fintech side than most traditional banks, and they were early adopters of using the Cloud.  So, the fact that this breach happened to them is rather worrying as we would expect other banks to be even more vulnerable.

Stay posted

Even though we already know a lot more details about this data breach than usual, we will follow this one as it further unravels.

If you want to follow up directly with a few resources, you can click below:

Official Capital One statement

Paige Thompson Criminal Complaint


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.