Capital One Says Hacker Breached Accounts of 100 Million People; Ex-Amazon Employee Arrested (forbes.com) 280
CaptainDork shares a report from Forbes: Capital One said Monday that sensitive financial information -- including social security and bank account numbers -- from over 100 million people were exposed in a massive data breach that led to the arrest of former Amazon employee Paige Thompson, a hacker who lives in Seattle. The information was taken from credit card applications submitted to the Virginia-based bank from 2005-2019. These included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income. Additionally, Capital One said that 140,000 Social Security and 80,000 linked bank account numbers were compromised as well as fragments of transaction data from a total of 23 days during 2016, 2017 and 2018. No credit card account numbers or log-in credentials were exposed. Individuals whose information was compromised in the breach will be notified by Capital One. According to court documents, Paige Thompson was arrested for hacking into cloud computer servers rented by Capital One. Investigators say Thompson previously worked at the cloud computing company whose servers were breached, but did not name the company.
"Thompson's resume, which is still online, and her LinkedIn profile indicate that she worked at Amazon, which operates the popular cloud computing business Amazon Web Services, from 2015-2016," reports Forbes. "Thompson allegedly posted the information from the hack on her Github profile, which included a link to her resume, leading the FBI to her. The hack occurred on March 22 or 23, the court documents say, but no one at Capital One knew the bank had been breached until four months later when an anonymous security researcher alerted them."
"Thompson's resume, which is still online, and her LinkedIn profile indicate that she worked at Amazon, which operates the popular cloud computing business Amazon Web Services, from 2015-2016," reports Forbes. "Thompson allegedly posted the information from the hack on her Github profile, which included a link to her resume, leading the FBI to her. The hack occurred on March 22 or 23, the court documents say, but no one at Capital One knew the bank had been breached until four months later when an anonymous security researcher alerted them."
Ugh.... (Score:2)
Re:Ugh.... (Score:5, Interesting)
The "problem" with cloud is that we usually treat it like server in a DC managed by our own team. Nope they are not. My servers are in Singapore due to historical and legal reasons, a country with laws difficult to follow, a country which, while most people describe as a very beautiful one I have no intentions to visit, I do not like international travel. So if I treat those server like servers run by myself, I am open to some problems.
Re: (Score:2)
The "problem" with cloud is that we usually treat it like server in a DC managed by our own team. Nope they are not.
You are exactly, 100 percent correct. But the cloud was sold as a impervious fortress of encrypted security, when it was first getting started, and a lot of people foolishly bought into to that lie.
Re: (Score:2)
Re: (Score:2)
I'm going to assume you aren't being snarky. In this case "DC" = Data Center.
Re: (Score:2)
Re: (Score:2)
Cloud storage isn't why people use the cloud. Cloud execution is where the savings and flexibility really matter and to execute you need data.
That doesn't mean you can't secure your online data but you sure as fuck can't just encrypt offline then upload only encrypted data.
Re: (Score:2)
That's not entirely true: homomorphic encryption has been demonstrated. But it's still pretty close to cutting edge.
Re: (Score:2)
You need a specialist mathematician to make it work, and it kills performance.
Re: (Score:2)
Homomorphic encryption is bleeding-edge tech that doesn't belong outside the lab yet. AFAIK even the most promising experimental systems so far have been found to have cryptographic vulnerabilities.
It also wouldn't be a bad idea from a security perspective to keep the data encrypted even if the machine using the data holds the encryption key in RAM, especially if storage is on a separate system from execution. It would be a bad idea from a performance perspective though...
Re: Ugh.... (Score:2)
And Amazon has the same thing. What's your point?
Re: (Score:3)
Of course they do. They tell me explicitly every time they get hacked. "Here at LaxSecurityCO, we take your security very seriously and are doing everything we can to keep you and your children safe"...
They wouldn't say it if they didn't mean it, right?
Re: (Score:2)
Re: (Score:2)
INTERNAL clouds are very useful. Gives you a lot of flexibility within your environment. Don't have to worry about having a bunch of hardware lying around (especially server hardware).
External clouds on the other hand, I'd rather not....
Re: (Score:3)
"The cloud" is a huge circular marketing argument.
It's cheaper... if you don't do all of the things that you really need to do to keep your systems secure.
It's secure... if you do all of the things you are supposed to do. But since that's like 85% of the cost of IT, it erodes the cost savings to pretty much zero.
You can get your cloud provider to do the low-level things, like patching. But then you either have to deal with someone else deciding when patches are installed, or switch to an infrastructure desi
no hacking (Score:3, Informative)
What "hacker"? All she did was misuse valid (or legitimately assigned but not removed) credentials. That's no hacking in either ours nor Microsoft's/bad media sense. This is no different from a cashier lifting money.
The other point is Amazon's lack of privilege separation, but we already know they suck (just like most other hosting providers...).
Re:no hacking (Score:5, Informative)
The other point is Amazon's lack of privilege separation
I don't see any evidence that there was an issue with Amazon's "lack of privilege separation".
According to the court documents [regmedia.co.uk], the hack was enabled by a firewall misconfiguration (by Capital One) that allowed remote execution of commands on a Capital One's instance, and the distribution of AWS credentials by Capital One to that instance that permitted access to the S3 bucket in question.
Capital One chose to not separate the privileges sufficiently.
Re: (Score:2)
From what is known so far, at a minimum a misconfigured router was involved.
Comment removed (Score:5, Interesting)
Re: (Score:2)
Yeah and calling it cybersecurity used to get you laughed out of the room but now that's what it's called because it's what the majority of the population liked saying.
Re: (Score:2)
article says "Federal agents have arrested a Seattle woman named Paige Thompson"
Also middle name is Adele........
Re: (Score:2)
Re: (Score:2)
CV says: "Paige Adele Thompson", the article says "woman" throughout, with no hint any kind of gender identity politics being involved whatsoever.
Re: (Score:2)
Re: (Score:2)
Transsexualism is no longer classified as a mental disorder. Get over it.
Re: (Score:2)
While I'm firmly pro-science (and haven't heard about technology or magic words that can turn a man into a woman or vice versa), neither the article nor the CV include any suggestion the perp here is anything but a woman. If you have further data on this subject, that's swell, but I'm not omniscient and based my words on what was readily available. And, why would the perp's gender even matter?
plastic surgery (Score:5, Insightful)
The fine needs to be $5 per credential exposed, directed at the institution with the long memory. If the credential isn't worth $5 in future business, why are you keeping it around, long term, in giant datasets with honey on top?
Credential not worth more than a fancy cup of coffee? Expunge with great haste.
Most of your customers probably think that you spilling their SSN etc. is worse than dumping their over their own fancy coffee (so long as the coffee incident does not escalate into plastic surgery "down there"). A leaked SSN can also lead to painful plastic surgery "down there" on your credit rating, so it's perhaps a bit of a wash.
Comment removed (Score:4, Insightful)
Re:plastic surgery (Score:5, Informative)
Re: (Score:2)
Re: (Score:2)
Also, a lot of these "applications " are from their marketing scams, they send you a thing telling them you qualify, so you're tricked into applying. Whereas if it was an obvious ad saying you can apply for a credit card, people would toss it, same as they do here where that sort of deceptive marketing attracts government lawyers asking questions.
"What's in YOUR wallet?" (Score:5, Funny)
...hackers.
Might not even have been malicious (Score:2)
Just a not very smart demonstration of skill. I had to caution my Software Security students repeatedly to not hack anything without permission by the system and data owners even when they see things are clearly wrong and insecure. From an engineering PoV, it makes perfect sense to do the hack and provide evidence, and the companies that mess it up are almost universally unresponsive to information about vulnerabilities in their systems, also because they get a ton of false warnings. But from a legal PoV, i
Re: (Score:3)
> o not do it, no matter how tempting.
There is a more important rule: Do Not Get Caught.
I've been in the position of demonstrating security vulnerabilities, and being sorely tempted to break in and leave evidence of the poor security. Many security whistleblowers are obvious and leave traces of their work. I don't advocate this, but I've observed colleagues escalating their breakins to demonstrate the ease, then demonstrate that the countermeasures are not effective, then publicly expose the vulnerabilit
Re: (Score:2)
The most reliable way to not get caught is to not do it. And since everybody makes mistakes, it is basically the only good way.
Re: (Score:2)
> The most reliable way to not get caught is to not do it. And since everybody makes mistakes, it is basically the only good way.
It's effective. Sadly, it may not be the _most_ effective way to protect your job, or the safety of others. There are occasions where the vulnerability is so great and the obvious consequences are so large that it becomes worth the risks to expose. Where that threshold resides can be a very tricky decision: it's a whistleblower problem. A whistleblower cannot always remain unde
Re: (Score:2)
When the risks are so large, you either have a reporting path or an escalation path, or it simply is not your problem. Only exception: Existential risks to yourself or somebody or group you care about enough to risk your own life or freedom. You can always think it worthwhile to sacrifice yourself. (But don't expect to ever be thanked for it....) Otherwise, your responsibilities end at what you are allowed to do.
Re: (Score:2)
If it's not on your direct path, you should _find_ where to report it. The idea that you leave something lying around broken because it "simply is not your problem" is common in highly structured environments, and it is why they cannot adopt. It discourages curiosity, it discourages professoinal growth, it encourages highly stratified bureaucracies that _cannot_ respond to shifting technologies or markets, and it encourages large scale security vulnerabilities.
I'm not upset at you personally for mentioning
Re: (Score:2)
I think you are misunderstanding what I am saying.
If it is in-house, things are simple: Escalate, if needed until you find somebody who cares. There always is some path for that, defined or otherwise. And that is something you should definitely do. My perspective is different: I am an external consultant, and I cannot ever "hack" anything without explicit permission. If I do that, it opens my employer up to liability and my loyalty is to my employer here, not some company out there were we do not even have
Re: (Score:2)
The problem is that some companies have a "cover everything up, blame the messenger" policy. If you find resistance in reporting a vulnerability, you can be damn sure that someone is going to find a reason to send you to jail for finding it.
Yeah, if you are just reporting it and not abusing it, the charges will be dropped. Will you get a "thanks" or compensation for the months you spent in jail or in court? Will you get compensation for the legal fees that have made you lose your house or at least forced to
Re: Might not even have been malicious (Score:2)
Then you bring it to a journalist. This isn't rocket science.
Re: (Score:2)
If you never want to work in the security industry again, sure.
Re: (Score:2)
Lol ok tell me how you explain that there is a security vulnerability.
Re: (Score:2)
Re: (Score:2)
Another nice example is Aaron Swartz. Don't do this, seriously.
Re: (Score:2)
What's in YOUR wallet? (Score:5, Funny)
All Thompson did was ask Capital One "What's in YOUR wallet?"
"Keep my stuff on other peoples infrastructure" (Score:4, Interesting)
It can be worse. It will be worse one day. Half of the world holding all their stuff at one company.. what can possibly go wrong ?
Re: (Score:3)
How would this be different if they did not use a cloud instance? If anything I would expect financial institutions to be more encouraged to use a cloud service as many of the big ones have done extensive compliance check requirements, including extensive vetting of any employee that has administrative operations on user data.
Cloud service companies maintain the following priorities with respect to data access:
1. Integrity (we won't lose your data)
2. Security (your data is as safe as you make it)
3. Availabi
Re: (Score:2)
You don't even want to know how much healthcare data is stored at 3rd party cloud services. Most of them have the policy of, "if it leaks, its amazon's fault not ours, so no need for extra security since we are isolated!"
Everyone misuses the word 'hack' (Score:4, Interesting)
In the literary sense, this person is 'a hack', but what she did was not 'hacking'.
What she did was notice a large bank had poor security practices, put that in her pocket, waited a couple years in an attempt to distance herself from being employed at AWS, then stole all the stuff. No hacking was involved in this at all, it was simple theft.
If you held on to a key from your apartment when you moved out and returned two years later to break in and steal stuff, you are not a lock picker. You're a dude with a key.
Not a woman (Score:4, Funny)
The picture at heavy.com shows clearly that he's a man:
https://heavy.com/news/2019/07... [heavy.com]
There is no such thing as a woman hacker.
Lots of 'em in Japan (Score:2)
Eventually there was money to be made and with it prestige and men started to force women out. But a whole mess of foundational tech you're computer runs on came from women. And today there's plenty more, but you hear a lot less of them because, well, posts like yours that accuse them of being men. They tend to keep their heads down.
Re: (Score:2)
Actually I should have used better words, there is no such thing as a Woman "black hat" hacker. I am a developer and I obviously have *real* female colleagues, the percentage of "smartness" is probably the same as in men.
And anyway, a man dressed as a woman is not a woman, period. I am not "accusing" him to be a man, just stating the obvious, "Paige" is a man.
Re: (Score:2)
HAHAHA! The "a" stands for Antonio :-D
Work history is revealing (Score:2)
8 positions in 11 years with gaps between most suggesting terminations not career progression.
If that CV passed my desk the person would not have gotten an interview never mind a role.
Appears to confirmation the proposition that Hiring practices are broken.
Re: (Score:2)
The way it's organized is bizarre too. I know Emacs and Vim can be expanded to work something like an IDE, but Git, Subversion, and TFS are source code management systems (TFS is also an issue tracker) and in no way IDEs, they are not made for editing, compiling, or running code. She also lists a bunch of individual, unremarkable CLI tools under command-line scripting skills, like rsync. Which is packing with filler at best or a sign of incompetence at worst.
Re: (Score:2)
I knew a woman who had a severe personality disorder and she kept getting contracts that "finished" and they were never ever extended. She was good at making first impressions and she had a similar employment history.
Eventually it seemed she wasn't able to get tech jobs anymore but for awhile getting fired seemed to push her career through a rapid progression even if she was shit at it.
Re: (Score:2)
You don't see the same level of hostility either here or from the public leveled at trans men. Nobody is arguing that they should have to use the bathroom of their birth sex. Pay usually stays the same or goes up. Trans women - job loss is the norm, as are lower pay and last
What about distribution? (Score:3, Interesting)
I've read two versions of this story and so far there's no mention of whether she distributed the data, or whether the Feds think she did. There's a big difference between stealing it as a trophy and selling it. Capital One says they'll inform people, but I'd like to know more about what *exactly* has happened.
Likely not hacking.... (Score:2)
Quite the little job hopper... (Score:2)
...she was. A lot of jobs she worked from January to May of the same year according to her resume. What is up with that?
Not exactly a criminal mastermind (Score:2)
Hire me cuz I has l33t skillz, see? I hax0r3d Amazon lolz.
Wanna buy some personal info?
Canadians: Costco and Hudson Bay (Score:2)
Just heard the following on the radio:
For Canadians, anyone who applied for a MasterCard from Costco or Hudson Bay Company between 2005 and 2019, you are affected.
Re: (Score:2, Interesting)
NO way!! We need these exceptionally talented execs to stay on. We cannot afford to have them all jump ship! Raises and bonuses for all! /sarc
It's pretty sickening but that is exactly what is going to fucking happen. Judges approve of bonuses and pay increases for execs all the time while salaries and jobs for the worker ants at businesses are cut.
Re: (Score:2)
Judges don't set compensation for business employees in the US, so naturally if you try to get a judge to get in the way of a bonus they will say something like, "looks good to me!"
It isn't that judges approve bonuses, it is that judges are generally not involved in disapproving them.
Re: (Score:2)
Re: (Score:2)
Yea, I intended to mentioned the bankruptcy part, my bad.
Re: (Score:2)
Everyone claims "oh no, we assume everyone involved in the process is acting with perfect integrity " when they know nobody is.
Re: (Score:2)
The perp is only getting up to 5 years.
Re: (Score:2)
Re: (Score:2)
Hmm, maybe the Mainstream media is leaving something out again! https://www.dailymail.co.uk/ne... [dailymail.co.uk]
Re: (Score:2)
That's fourteen years of data stolen, not a 14 year-long breach...
Re:Fourteen years? (Score:4, Interesting)
Why would an executive of a global bank know anything about how a web application firewall is configured? Or what data storage scheme is being used? Or when to properly age-out data?
This is all operations and architecture stuff, where the executives should be nowhere near. Now if the follow-on story is "engineers discovered the flaw and went to bank executives in order to approve fixes / patches and they said no for 5 months" then yes, off with their heads. But that's not the story.
Re: (Score:3)
This attitude is the problem. In todays connected world market discovery of price or contacts are no longer issues so why so we keep putting salespeople as CEOs instead of Engineers who know the guts of how things work at their company?
Re: (Score:2)
No woman would hack these servers.
Well, aren't you a sexist shit. Women are just as good as men at breaking the law.
Re: (Score:2)
Re: (Score:2)
Erm, you do realise that the US justice system is exceedingly sexist in its application of the law?
Women are less likely to be investigated for crimes, mainly because the police perceive it as a waste of their time as, even when there's good evidence, they're less likely to be prosecuted and even when they are, they receive a far lower punishment than a man would for the equivalent crime and far more likely to have mitigating circumstances taken into account.
The US prison population reflects the inherent bi
Re: (Score:2)
>"The US prison population reflects the inherent bias in the system and not the prevalence of crime by gender."
That is a pretty bold statement. I do believe there is SOME bias, but that is a small part of it. Men do commit FAR, FAR more crime than women, especially violent crime. That is a fact.
Re: (Score:2)
I disagree. Men do commit more crime than women but the system is extremely biased in one direction.
Many women commit assault on a daily basis for instance, but get away with it because their victims are male. Many women abuse their own children but get away with it because nobody sees.
But a woman can commit a crime just as well as a man can. Feminists tell me women are equal to men in every respect, after all.
Re: (Score:2)
Re: (Score:2)
Given women commit more child abuse than men you're clearly full of shit.
Incidentally, the law on rape is written in a way that doesn't recognise the serious sexual assaults committed by women: https://www.bbc.co.uk/news/sto... [bbc.co.uk]
Re: (Score:2)
Or women are just less likely to get caught.
Re: Media is referring to him as a woman (Score:2)
Women probably do it much better and get away with it. Men make dipshit criminals.
Re: (Score:2)
Uh. No they aren't.. The US prison population is proof of that. A given woman might be just as capable as a given man at breaking the law.. But as a whole women aren't. Those are two different concepts, but both are correct.
The data has to be hard to interpret. Locally, we had a woman who embezzled a lot of money from a local and very successful restaurant. Came very close to putting the place out of business, and a lot of people out of work. Her punishment? repay 30 thousand dollars, 30 days of house arrest, and 2 years of probation.
She profited around a hundred K from what ordinarily would have been felony embezzlement to 30 days stuck at home. Sweet gig if you can get it.
Making a statement on total numbers is pretty n
Re: (Score:2)
Re: (Score:2)
Actually he's transgender.
https://heavy.com/news/2019/07... [heavy.com]
Re: (Score:2)
She wanted to get caught. Trans women (unlike trans men) encounter all sorts of social impediments to things that are taken for granted, such as equal access to health care. Higher rates of sexual harassment and on-the-job hostility. Kind of hard to get access to proper medical treatment if you have higher barriers to getting and keeping a job.
So the best option is to commit a federal crime. She will end up in a women's prison, and get hormonal and surgical treatment.
Societies could avoid some of the c
Re: (Score:2)
Re: (Score:2)
How many 'branded' cards (strores, gas, airlines, resorts, cruise lines, etc) are actually Capital One cards? Doesn't seem that implausible.
Re: Sounds sketchy (Score:2)
Shouldn't matter. For many ailments, bankruptcy is the fiscally responsible reaction.
Re: (Score:2)
Amazon Employee (Score:2)
Amazon has top notch medical benefits.
Re: (Score:2)
Amazon has top notch medical benefits.
Not if you don't make it past the probationary period.
Re: (Score:2)
Trans health care? How expensive can a meat cleaver be?
Unfortunately some people are so desperate that they end up doing exactly that. Too ashamed to even ask a GP for help, so desperate that they literally take matters into their own hands. Gender dysphoria is real. It's no longer thought of as a mental illness, but as a consequence of the brain being wired in such a way that they identify as the other sex.
We can't change the message that the brain is forcing the person to see themselves, any more than we can change the brain of a colour blind person to perc
Re: (Score:2)
On the one hand, we have the medical experts who determined that I'm female, the courts who say I'm female, and my birth certificate which says I was born female.
On the other hand we have some anonymous kook who rejects the science of the last 25 years, which has shown that trans
Re: (Score:2)
More like 100 million people were sent bogus letters stating that they are pre-approved, just fill in the form, and the form is a credit application, and "pre-approved" just means your name or address was on a marketing list. p% Still no reason to keep rejected applications from 2005 on a server to be stolen within the last year. Even credit scoring companies have to purge data more than 7 years old.
Re: (Score:2)
I mentioned this earlier but she was working at amazon and they would have probably paid for anything she wanted.
Re: (Score:2)
As for me, you could not pay me to move to the USA. You got the government you deserve, you voted for it, you wear it.
Trump should be impeached, in the hope that the senate stops it and then the republicans have to run with the majority of voters knowing they kept a crook far wors
Re: (Score:2)