Capital One Data Breach Exposes 100 Million Records to Seattle Hacker - Schneider Downs

July 30, 2019

Capital One Data Breach Exposes 100 Million
Records to Seattle Hacker
CYBERSECURITY, FINANCIAL SERVICES
BY DAN DESKO

    SHARE WITH A COLLEAGUE                  DOWNLOAD PDF       

Barely a week after the Equifax data breach was settled for nearly $650 million dollars, there appears to be
news of an almost equally large mega-breach which was announced today by Capital One. Capital One said in
a statement that this breach has affected approximately 100 million individuals in the United States and
approximately 6 million in Canada. This breach appears to be largely related to credit card application data as
the statement notes “The largest category of information accessed was information on consumers and small
businesses as of the time they applied for one of our credit card products from 2005 through early 2019.”

According to complaint information noted in the United States Attorney’s Office in the Western District of
Washington, a software engineer turned hacker from Seattle, Paige Thompson (aka “erratic”), is being
charged for involvement in the unlawful access and exfiltration of this data under the Computer Fraud and
Abuse Act (CFAA).

On July 17, 2019, Capital One was notified of the potential breach through an email address
(responsibledisclosure@capitalone.com) which it uses to solicit disclosures of actual or potential
vulnerabilities in its computer systems. The screen capture shown below is from the complaint document,
you can see that it notes that there is potential “Leaked s3 data.”

The moniker “s3” stands for Simple Storage Service and it is a service hosted by Amazon Web Services (AWS).
Also according to the complaint, a firewall misconfiguration was to blame for the initial allowed interaction
between the hacker and the system.

There are a few extraordinary circumstances surrounding this case that are unusual for cybercrime/breach
issues that have really piqued my interest:

  A suspect is already in custody. Typically, many of these large breaches can only postulate with a certain degree
  of certainty who the bad actor was. In this case, they have charged someone with a crime, and in fast action.
  This appears to have been possible because of public boasting by the bad actor. This is strange for a couple of
  reasons, (1) bad people don’t like to get caught and that would be a dumb move and (2) why use a TOR node to
  exploit the environment if you were going to publically boast about it anyways?

  The suspect is from the United States and the motive seems unclear. Many breaches that we are accustomed to
  hearing about in the news have foreign based actors and different motives behind the attacks. This attack
  appears to have occurred from a bad actor within our borders and there doesn’t appear to be any disclosure of
  the data as the Capital One press release notes, “we believe it is unlikely that the information was used for fraud
  or disseminated by this individual.” Perhaps the quick action of law enforcement preempted a disclosure of this
  data.

  It appears somewhat likely that the bad actor may have exploited commercial infrastructure that she had
  helped to build. Follow along for a moment. The US attorney complaint notes that information posted on a
  GitLab page had them believe the bad actor worked for a cloud computing company at one point as a “systems
  engineer” from 2015-2016. However, the complaint does not name who the former employer was. A quick
  search for “Paige Thompson” on GitLab produces a resume for a woman named Paige Thompson that notes
  that she worked at AWS from 2015-2016 as a “Systems Engineer Lvl. 4” for Amazon AWS S3 division. Her
  experience notes that she “Assisted in the build-out and deployment of new load balancing capacity for S3.”

While there is undoubtedly much more to come on this event, the initial details are very interesting. From a
business standpoint, there are many lessons learned that can be gleaned from this event. Regular security
audits and penetration tests of all assets, including cloud infrastructure, is a highly recommended and
valuable exercise that can bring serious issues that can lead to events like these to light. In addition to
security audits and penetration tests, there were several missed signs of bad activity that should have been
logged, recognized and alerted on. For example, the complaint mentions the following bad activity found in
the logs, VPN connection from IPredator anonymization service, TOR exit node connections, and anomalous
behavior from seldom used accounts. Be sure to learn from others’ mistakes to strengthen your own
environment and help avoid issues like this.

Tips like these and others are mentioned in a recent white paper that I authored with along with our Incident
Response Leader, David Murphy, which is available here: https://schneiderdowns.com/10-things-companies-
wish-they-did-before-a-breach

SHARE









You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and

individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you
have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it
with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at
contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice.
Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with
individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted
and should not be used without written permission.

                              OUR THOUGHTS ON
        CYBERSECURITY, MANUFACTURING BY TIMOTHY PETRO                                                                         CYBERSECURITY

        8.26.2019                                                                                                             8.12.2019

        Manufacturers are Targets for Cybercriminals - How to Thwart an Attack                                                Students’ Data Exposed by Pea

        READ MORE >                                                                                                           READ MORE >

                                                                                                                             
  Register to receive our weekly newsletter with our most recent columns
                               and insights.
                                                 SUBSCRIBE FOR UPDATES

                                                       MOST RECENT

                                   The Stages of Wealth - Wealth Creation
                                         401(K) PLANS, WEALTH MANAGEMENT
                                           BY DAVID BRINKMAN | 8.30.2019

          This article was originally published in Wedgewood Life magazine and is reprinted with their
                        permission. In our May article, we laid out some basic personal ...

READ MORE

                                           MOST POPULAR

            Tax Treatment of Deferred Revenue in a Taxable Stock Acquisition
                                 MERGERS AND ACQUISITIONS, TAX
                                   BY GARY SLIMAN | 6.1.2016

The general rule under Internal Revenue Code §451 is that an item of income shall be included in gross
                            income for the taxable year or receipt unless ...

                                             READ MORE

                                             
                                Have a question? Ask us!
          We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as
                                              possible.

                                               ASK US

                                      CONTACT US

                                             PITTSBURGH

One PPG Place, Suite 1700
      Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644 f:412.261.4876

           COLUMBUS
 65 East State Street, Suite 2000
      Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060 f:614.621.4062

       WASHINGTON, D.C.
1660 International Drive, Suite 600
        McLean, VA 22102

contactsd@schneiderdowns.com
         p:571.380.9003

           FOLLOW US

                                f
        CLIENT PORTAL

              

SUBSCRIBE FOR UPDATES

       E-mail                                                                                 SUBMIT

                                               PRIVACY POLICY
                                             LEGAL INFORMATION

                                                   SITE MAP

  Schneider Downs is a Top 60 independent Certified Public Accounting (CPA) firm providing accounting, tax,
 audit and business advisory services to public and private companies, not-for-profit organizations and global
    companies. We also offer Internal Audit; Technology Consulting; Software Solutions; Personal Financial
   Services; Retirement Plan Solutions and Corporate Finance Services. Schneider Downs is the 13th largest
  accounting firm in the Mid-Atlantic region and serves individuals and companies in Pennsylvania (PA), Ohio
(OH), West Virginia (WV), New York (NY), Maryland (MD), and additional states in the United States with offices
                                      in Pittsburgh, PA and Columbus, OH.

                    © 2019 Schneider Downs & Co., Inc. Maryland license number 35239