Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Businesses Cloud Security United States

Capital One Says Hacker Breached Accounts of 100 Million People; Ex-Amazon Employee Arrested (forbes.com) 280

CaptainDork shares a report from Forbes: Capital One said Monday that sensitive financial information -- including social security and bank account numbers -- from over 100 million people were exposed in a massive data breach that led to the arrest of former Amazon employee Paige Thompson, a hacker who lives in Seattle. The information was taken from credit card applications submitted to the Virginia-based bank from 2005-2019. These included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income. Additionally, Capital One said that 140,000 Social Security and 80,000 linked bank account numbers were compromised as well as fragments of transaction data from a total of 23 days during 2016, 2017 and 2018. No credit card account numbers or log-in credentials were exposed. Individuals whose information was compromised in the breach will be notified by Capital One. According to court documents, Paige Thompson was arrested for hacking into cloud computer servers rented by Capital One. Investigators say Thompson previously worked at the cloud computing company whose servers were breached, but did not name the company.

"Thompson's resume, which is still online, and her LinkedIn profile indicate that she worked at Amazon, which operates the popular cloud computing business Amazon Web Services, from 2015-2016," reports Forbes. "Thompson allegedly posted the information from the hack on her Github profile, which included a link to her resume, leading the FBI to her. The hack occurred on March 22 or 23, the court documents say, but no one at Capital One knew the bank had been breached until four months later when an anonymous security researcher alerted them."
This discussion has been archived. No new comments can be posted.

Capital One Says Hacker Breached Accounts of 100 Million People; Ex-Amazon Employee Arrested

Comments Filter:
  • Again... Why should we trust "The Cloud"?
    • Re:Ugh.... (Score:5, Interesting)

      by pegdhcp ( 1158827 ) on Tuesday July 30, 2019 @02:09AM (#59010494)
      "Using" the cloud and "trusting" the cloud are two distinct concepts. We all are using fiber and copper infrastructure laid down by some telco provider's lowest bidder. Do we trust them? No, disregarding their honesty level, we do not know company, never heard of them and never will. Do we use fruits of their labour? Certainly with some precautions, with protocols that removes most if not all potential problems those can be caused by infrastructure...

      The "problem" with cloud is that we usually treat it like server in a DC managed by our own team. Nope they are not. My servers are in Singapore due to historical and legal reasons, a country with laws difficult to follow, a country which, while most people describe as a very beautiful one I have no intentions to visit, I do not like international travel. So if I treat those server like servers run by myself, I am open to some problems.

      • The "problem" with cloud is that we usually treat it like server in a DC managed by our own team. Nope they are not.

        You are exactly, 100 percent correct. But the cloud was sold as a impervious fortress of encrypted security, when it was first getting started, and a lot of people foolishly bought into to that lie.

      • Right, and it's the DC part that is most dangerous. Many of us (cough, cough) think it's okay to use Microsoft software and have "Domain Controllers", and once we do this we are toast anyway.
  • no hacking (Score:3, Informative)

    by KiloByte ( 825081 ) on Tuesday July 30, 2019 @12:27AM (#59010294)

    What "hacker"? All she did was misuse valid (or legitimately assigned but not removed) credentials. That's no hacking in either ours nor Microsoft's/bad media sense. This is no different from a cashier lifting money.

    The other point is Amazon's lack of privilege separation, but we already know they suck (just like most other hosting providers...).

    • Re:no hacking (Score:5, Informative)

      by buchanmilne ( 258619 ) on Tuesday July 30, 2019 @01:24AM (#59010392) Homepage

      The other point is Amazon's lack of privilege separation

      I don't see any evidence that there was an issue with Amazon's "lack of privilege separation".

      According to the court documents [regmedia.co.uk], the hack was enabled by a firewall misconfiguration (by Capital One) that allowed remote execution of commands on a Capital One's instance, and the distribution of AWS credentials by Capital One to that instance that permitted access to the S3 bucket in question.

      Capital One chose to not separate the privileges sufficiently.

    • From what is known so far, at a minimum a misconfigured router was involved.

    • Comment removed (Score:5, Interesting)

      by account_deleted ( 4530225 ) on Tuesday July 30, 2019 @05:48AM (#59010912)
      Comment removed based on user account deletion
    • And while we are on the subject of misinformation, "It's a man, baby!"
      • CV says: "Paige Adele Thompson", the article says "woman" throughout, with no hint any kind of gender identity politics being involved whatsoever.

        • The only person who mentioned politics is you. The articles are calling a man a woman. That is misinformation. DOH!
          • And you have seen their birth certificate? If they have legally changed it from male to female then they are, for all intents and purposes, a women. Even the states that have bathroom bills will require her to use the woman's bathroom and arrest her if she tries to use the men's.

            Transsexualism is no longer classified as a mental disorder. Get over it.

  • plastic surgery (Score:5, Insightful)

    by epine ( 68316 ) on Tuesday July 30, 2019 @12:34AM (#59010310)

    The fine needs to be $5 per credential exposed, directed at the institution with the long memory. If the credential isn't worth $5 in future business, why are you keeping it around, long term, in giant datasets with honey on top?

    Credential not worth more than a fancy cup of coffee? Expunge with great haste.

    Most of your customers probably think that you spilling their SSN etc. is worse than dumping their over their own fancy coffee (so long as the coffee incident does not escalate into plastic surgery "down there"). A leaked SSN can also lead to painful plastic surgery "down there" on your credit rating, so it's perhaps a bit of a wash.

    • Comment removed (Score:4, Insightful)

      by account_deleted ( 4530225 ) on Tuesday July 30, 2019 @06:04AM (#59010936)
      Comment removed based on user account deletion
    • They're keeping it because they have to. Regulations say they must keep consumer applications for at least 25 months and business applications for 12. They may find it necessary to keep them longer because records are pretty damn important to banking.
      • So why are they keeping it for more than a decade? The hack was recent, but the data was sitting there long after the law requires.

        Also, a lot of these "applications " are from their marketing scams, they send you a thing telling them you qualify, so you're tricked into applying. Whereas if it was an obvious ad saying you can apply for a credit card, people would toss it, same as they do here where that sort of deceptive marketing attracts government lawyers asking questions.

  • by Tablizer ( 95088 ) on Tuesday July 30, 2019 @12:39AM (#59010318) Journal

    ...hackers.

  • Just a not very smart demonstration of skill. I had to caution my Software Security students repeatedly to not hack anything without permission by the system and data owners even when they see things are clearly wrong and insecure. From an engineering PoV, it makes perfect sense to do the hack and provide evidence, and the companies that mess it up are almost universally unresponsive to information about vulnerabilities in their systems, also because they get a ton of false warnings. But from a legal PoV, i

    • > o not do it, no matter how tempting.

      There is a more important rule: Do Not Get Caught.

      I've been in the position of demonstrating security vulnerabilities, and being sorely tempted to break in and leave evidence of the poor security. Many security whistleblowers are obvious and leave traces of their work. I don't advocate this, but I've observed colleagues escalating their breakins to demonstrate the ease, then demonstrate that the countermeasures are not effective, then publicly expose the vulnerabilit

      • by gweihir ( 88907 )

        The most reliable way to not get caught is to not do it. And since everybody makes mistakes, it is basically the only good way.

        • > The most reliable way to not get caught is to not do it. And since everybody makes mistakes, it is basically the only good way.

          It's effective. Sadly, it may not be the _most_ effective way to protect your job, or the safety of others. There are occasions where the vulnerability is so great and the obvious consequences are so large that it becomes worth the risks to expose. Where that threshold resides can be a very tricky decision: it's a whistleblower problem. A whistleblower cannot always remain unde

          • by gweihir ( 88907 )

            When the risks are so large, you either have a reporting path or an escalation path, or it simply is not your problem. Only exception: Existential risks to yourself or somebody or group you care about enough to risk your own life or freedom. You can always think it worthwhile to sacrifice yourself. (But don't expect to ever be thanked for it....) Otherwise, your responsibilities end at what you are allowed to do.

            • If it's not on your direct path, you should _find_ where to report it. The idea that you leave something lying around broken because it "simply is not your problem" is common in highly structured environments, and it is why they cannot adopt. It discourages curiosity, it discourages professoinal growth, it encourages highly stratified bureaucracies that _cannot_ respond to shifting technologies or markets, and it encourages large scale security vulnerabilities.

              I'm not upset at you personally for mentioning

              • by gweihir ( 88907 )

                I think you are misunderstanding what I am saying.

                If it is in-house, things are simple: Escalate, if needed until you find somebody who cares. There always is some path for that, defined or otherwise. And that is something you should definitely do. My perspective is different: I am an external consultant, and I cannot ever "hack" anything without explicit permission. If I do that, it opens my employer up to liability and my loyalty is to my employer here, not some company out there were we do not even have

              • The problem is that some companies have a "cover everything up, blame the messenger" policy. If you find resistance in reporting a vulnerability, you can be damn sure that someone is going to find a reason to send you to jail for finding it.

                Yeah, if you are just reporting it and not abusing it, the charges will be dropped. Will you get a "thanks" or compensation for the months you spent in jail or in court? Will you get compensation for the legal fees that have made you lose your house or at least forced to

          • Then you bring it to a journalist. This isn't rocket science.

    • by ELCouz ( 1338259 )
      This the best way by far to get a job afterward in being a Security Consultant. Look at Kevin Mitnick!
      • by gweihir ( 88907 )

        Another nice example is Aaron Swartz. Don't do this, seriously.

        • by ELCouz ( 1338259 )
          There's a difference between remote exploiting vs breaking and entering, attaching devices to a physical network and gaining access! Aaron Swartz is really a bad example to compare.
  • by sjames ( 1099 ) on Tuesday July 30, 2019 @02:10AM (#59010498) Homepage Journal

    All Thompson did was ask Capital One "What's in YOUR wallet?"

  • by geekymachoman ( 1261484 ) on Tuesday July 30, 2019 @02:23AM (#59010536)
    I understand people use this stuff (amazon/cloud companies) for everything from facebook games, blogs, news sites, travel agencies, various game developers as cdn, and list goes on... and most of it is irrelevant garbage data that nobody cares about, but a financial institution ?

    It can be worse. It will be worse one day. Half of the world holding all their stuff at one company.. what can possibly go wrong ?
    • How would this be different if they did not use a cloud instance? If anything I would expect financial institutions to be more encouraged to use a cloud service as many of the big ones have done extensive compliance check requirements, including extensive vetting of any employee that has administrative operations on user data.

      Cloud service companies maintain the following priorities with respect to data access:
      1. Integrity (we won't lose your data)
      2. Security (your data is as safe as you make it)
      3. Availabi

    • You don't even want to know how much healthcare data is stored at 3rd party cloud services. Most of them have the policy of, "if it leaks, its amazon's fault not ours, so no need for extra security since we are isolated!"

  • by mattyj ( 18900 ) on Tuesday July 30, 2019 @03:40AM (#59010672)

    In the literary sense, this person is 'a hack', but what she did was not 'hacking'.

    What she did was notice a large bank had poor security practices, put that in her pocket, waited a couple years in an attempt to distance herself from being employed at AWS, then stole all the stuff. No hacking was involved in this at all, it was simple theft.

    If you held on to a key from your apartment when you moved out and returned two years later to break in and steal stuff, you are not a lock picker. You're a dude with a key.

  • Not a woman (Score:4, Funny)

    by apetrelli ( 1308945 ) on Tuesday July 30, 2019 @03:59AM (#59010714)

    The picture at heavy.com shows clearly that he's a man:
    https://heavy.com/news/2019/07... [heavy.com]
    There is no such thing as a woman hacker.

    • and there were tons of them in the 50s and 60s when computing was "Women's work" (men thought programming was just feeding punch cards into a machine, way to go there boys).

      Eventually there was money to be made and with it prestige and men started to force women out. But a whole mess of foundational tech you're computer runs on came from women. And today there's plenty more, but you hear a lot less of them because, well, posts like yours that accuse them of being men. They tend to keep their heads down.
      • Actually I should have used better words, there is no such thing as a Woman "black hat" hacker. I am a developer and I obviously have *real* female colleagues, the percentage of "smartness" is probably the same as in men.
        And anyway, a man dressed as a woman is not a woman, period. I am not "accusing" him to be a man, just stating the obvious, "Paige" is a man.

  • 8 positions in 11 years with gaps between most suggesting terminations not career progression.

    If that CV passed my desk the person would not have gotten an interview never mind a role.

    Appears to confirmation the proposition that Hiring practices are broken.

    • The way it's organized is bizarre too. I know Emacs and Vim can be expanded to work something like an IDE, but Git, Subversion, and TFS are source code management systems (TFS is also an issue tracker) and in no way IDEs, they are not made for editing, compiling, or running code. She also lists a bunch of individual, unremarkable CLI tools under command-line scripting skills, like rsync. Which is packing with filler at best or a sign of incompetence at worst.

      • I knew a woman who had a severe personality disorder and she kept getting contracts that "finished" and they were never ever extended. She was good at making first impressions and she had a similar employment history.
        Eventually it seemed she wasn't able to get tech jobs anymore but for awhile getting fired seemed to push her career through a rapid progression even if she was shit at it.

  • by Anonymous Coward on Tuesday July 30, 2019 @07:14AM (#59011144)

    I've read two versions of this story and so far there's no mention of whether she distributed the data, or whether the Feds think she did. There's a big difference between stealing it as a trophy and selling it. Capital One says they'll inform people, but I'd like to know more about what *exactly* has happened.

  • So an ex-amazon employee access amazon web services infrastructure. I doubt that was "hacking", more probable is a lapse in security protocol for separated employees.
  • ...she was. A lot of jobs she worked from January to May of the same year according to her resume. What is up with that?

  • "Thompson allegedly posted the information from the hack on her Github profile, which included a link to her resume, leading the FBI to her."

    Hire me cuz I has l33t skillz, see? I hax0r3d Amazon lolz.
    Wanna buy some personal info?
  • Just heard the following on the radio:

    For Canadians, anyone who applied for a MasterCard from Costco or Hudson Bay Company between 2005 and 2019, you are affected.

You know you've landed gear-up when it takes full power to taxi.

Working...