Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Businesses Crime Technology

Ex-Amazon Employee Convicted Over Data Breach of 100 Million CapitalOne Customers (techcrunch.com) 61

Paige Thompson, a former Amazon employee accused of stealing the personal information of 100 million customers by breaching banking giant CapitalOne in 2019, has been found guilty by a Seattle jury on charges of wire fraud and computer hacking. From a report: Thompson, 36, was accused of using her knowledge as a software engineer working in the retail giant's cloud division, Amazon Web Services, to identify cloud storage servers that were allegedly misconfigured to gain access to the cloud stored data used by CapitalOne. That included names, dates of birth, Social Security numbers, email addresses and phone numbers, and other sensitive financial information, such as credit scores, limits and balances. Some one million Canadians were also affected by the CapitalOne breach. Thompson also accessed the cloud stored data of more than 30 other companies, according to a superseding indictment filed by the Justice Department almost two years after Thompson was first charged, which reportedly included Vodafone, Ford, Michigan State University and the Ohio Department of Transportation.
This discussion has been archived. No new comments can be posted.

Ex-Amazon Employee Convicted Over Data Breach of 100 Million CapitalOne Customers

Comments Filter:

  • The likes of the GDPR should have educated management that data is also a liability, not just an asset.
    And unnecessary data gathering is a major liability.

    (And yes, I'm aware this data breach happened in 'murca.)
    • by bws111 ( 1216812 )

      What data that they had ( names, dates of birth, Social Security numbers, email addresses and phone numbers, and other sensitive financial information, such as credit scores, limits and balances) are you pretending is unnecessary?

  • by Virtucon ( 127420 ) on Tuesday June 21, 2022 @10:05AM (#62639592)

    Does it bother anybody that Ford, UMich, CaptialOne, et al. had insecure data in AWS?

    • by schwit1 ( 797399 )

      Tip of the iceberg.

    • Re: (Score:3, Insightful)

      by awwshit ( 6214476 )

      Maybe we should blame AWS for being insecure by default. One has to wonder who else accessed the data.

      • Maybe we should blame AWS for being insecure by default.

        You don't want to go down that road. Nothing good is down there. What we need is to make corporate officers personally responsible for these breaches. How they choose to store data and with whom is up to them, it needs to be their responsibility, which means they need to be held responsible. Literally nothing else will solve this problem under corporate capitalism.

        • The issue is balancing accountability with the need for transparency about the breach. How did it happen? Who did it? What vulnerabilities did they exploit? What tools did they use? What data did they get? We do not want companies hiding the fact of the breach from customers or even the public. Do you want them just paying off the extortionists and pretending nothing happened to avoid consequences?
        • There is plenty of blame to go around.

          • Blaming Amazon for insecure defaults sets a precedent that might well destroy [F]OSS.

            No question they should be encouraged to tighten things up, but providing foot-shooting ability is ultimately necessary.

      • by Virtucon ( 127420 ) on Tuesday June 21, 2022 @10:40AM (#62639690)

        AWS has big disclaimers on their services. From their TOS: [amazon.com]

        4. Your Responsibilities.

        4.1 Your Accounts. Except to the extent caused by our breach of this Agreement, (a) you are responsible for all activities that occur under your account, regardless of whether the activities are authorized by you or undertaken by you, your employees or a third party (including your contractors, agents or End Users), and (b) we and our affiliates are not responsible for unauthorized access to your account.

        4.2 Your Content. You will ensure that Your Content and your and End Users’ use of Your Content or the Service Offerings will not violate any of the Policies or any applicable law. You are solely responsible for the development, content, operation, maintenance, and use of Your Content.

        4.3 Your Security and Backup. You are responsible for properly configuring and using the Service Offerings and otherwise taking appropriate action to secure, protect and backup your accounts and Your Content in a manner that will provide appropriate security and protection, which might include use of encryption to protect Your Content from unauthorized access and routinely archiving Your Content.

        4.4 Log-In Credentials and Account Keys. AWS log-in credentials and private keys generated by the Services are for your internal use only and you will not sell, transfer or sublicense them to any other entity or person, except that you may disclose your private key to your agents and subcontractors performing work on your behalf.

        4.5 End Users. You will be deemed to have taken any action that you permit, assist or facilitate any person or entity to take related to this Agreement, Your Content or use of the Service Offerings. You are responsible for End Users’ use of Your Content and the Service Offerings. You will ensure that all End Users comply with your obligations under this Agreement and that the terms of your agreement with each End User are consistent with this Agreement. If you become aware of any violation of your obligations under this Agreement caused by an End User, you will immediately suspend access to Your Content and the Service Offerings by such End User. We do not provide any support or services to End Users unless we have a separate agreement with you or an End User obligating us to provide such support or services.

        You the user of their services is responsible, they take no responsibility.

      • by Scoth ( 879800 ) on Tuesday June 21, 2022 @10:49AM (#62639714)

        In general, AWS goes out of its way to not be insecure by default. Things start out pretty locked down, and it takes a few steps to open things up. The problem is that people who don't what what they're doing just do easy "allow all" kind of rules, or disable various protections and permissions, which leads to things being insecure while still technically working. Some AWS services even pop up big banners when they're fully public to make sure devs are aware.

        There are legitimate use cases for things set up that way, you can't really blame the service for improper use by devs/whomever. Although there's plenty of valid discussion to be had about "Cloud" in general as a concept and whether it's good to be using it for sensitive data at all.

        • > Although there's plenty of valid discussion to be had about "Cloud" in general as a concept and whether it's good to be using it for sensitive data at all.

          I think the cloud can be fine, with the proper controls in place.

          Datacenter offerings have evolved, there is rented space where you do your own everything, there are hosted/dedicated computers, there are shared hardware environments, probably other things I'm not thinking of. When we talk about 'Cloud' and Software-as-a-Service, then we expect to be

    • by k6mfw ( 1182893 )
      I ask how does just one person able to commit such a breach?
    • Does it bother anybody that Ford, UMich, CaptialOne, et al. had...data in AWS?

      Yes, very much. Whoever decided to store that information on an outside server needs some prison time to think about their easily avoidable idiocy.

    • Very common problem, the cost of security exceeds the cost of getting caught. Oftentimes ends up a financial decision risk vs reward. Do I spend a couple extra million just incase or do I let it ride and reap that reward.
  • Maybe mentally ill people shouldn't be placed in positions of importance?
    https://www.geekwire.com/2019/... [geekwire.com]

    • Do you consider narcissism an illness? You may need to replace a large number CEOs in that case.
    • by DarkOx ( 621550 )

      ^^THIS^^

      The whole event comes down to exploitation of a difficult to identify misconfiguration unless of course you have insider knowledge.

      Simple reality is gender dysphoria where the person is so functionally impaired they can't engage in normative behavior, is a severe illness. These people should be committed and treated, not given high-trust positions because DEI

  • This will be a lesson for the employee and even freelancers to be more cautious when it comes to private details/information of the company/client. NDA must be recognized by both parties. https://jonalyncastroverde.wix... [wixsite.com]

"The great question... which I have not been able to answer... is, `What does woman want?'" -- Sigmund Freud

Working...