Capital One – The Breach

Capital One (PRNewsFoto/Capital One Financial Corp)

The incident

Capital One issued a press release on 29 July 2019 that there was an unauthorized access by an outside individual who obtained access to it’s customer information. The information that was obtained were credit card application information, for applications between 2005 to early 2019. Information breached includes

– Name

– Addresses, ZIP/Postal Codes

– Phone number

– Email addresses

– Date of Birth

– Income information (self reported)

– Status information – credit scores, credit limits, balances, payment history, contact information

– Transaction data from a total of 23 days during 2016,2017 & 2018

– Social Security Number of 140,000 and 80,000 linked bank account of secured credit card

The existing customers doesn’t seem to be affected as the system in question was only specific for credit card application facility.

What happened?

According to CapitalOne, the “highly sophisticated individual” was able to exploit a certain configuration vulnerability. NYT added that it was a misconfiguration of a firewall on a web application, and this echoes the court documents pointing to a misconfigured firewall on Capital One’s Amazon Web Services cloud server. The information was accessed between March 12 to July 17.

More than 700 folders of data was stored on the server.

The hacker

FBI has arrested Paige A. Thompson, going by the nick “erratic”, according to Justice Department. Ms Thompson made appearance in Seattle District Court on July 29, 2019 and was ordered to be detained pending hearing on August 1,2019.

Ms Thompson posted in GitHub regarding the information theft, which was reported by a GitHub user to Capital One on July 17, 2019. Capital One contacted FBI on July 19, 2019 after confirming the breach to be legitimate. FBI confirmed the identity of the attacker.

Ms. Thompson has worked with Amazon Web Services before. It was also evident that Ms Thompson left online trails of her hacker activities. She is listed as an organizer for “Seattle Wares Kiddies”, a group on Meetup, which lead to her online identities at other social media such as Twitter and Slack. The nick “erratic” was identified back to Ms Thompson as she had previously posted a photograph of an invoice for a veterinarian care services.

Ms. Thompson was quoted saying that “I’ve basically strapped myself with a bomb vest” in a related Slack posting, according to the prosecutors. If convicted, Ms Thompson will face the possibility of a USD250K fine and up to 5 years jail term.

The victim (?)

Capital One had anticipated that they would be incurring loss of up to USD150 million, which includes paying for the customer’s credit monitoring services. The credit monitoring services and identity protection services is offered as part of compensation for those affected.

Capital One may also be facing potential regulatory fines/sanctions, which at this point of time is still undetermined, as well as lawsuits.

New York Times was also seen to report that Amazon has refused any blame as part of the incident. Amazon told Newsweek that “this type of vulnerability is not specific to the cloud“. Misconfiguration, be it at the application or data bucket layer seems to be leading cause of data theft from cloud infrastructures, as seen the past such as Attinuty. Amazon maintains that “you choose how your content is secured“.

Situational Analysis

SocMed seems to be abuzz about whether the focus should be on the attacker, since its a criminal offense, while Capital One walks free. While the attacker may have done crime, the question is, could it have been prevented?

From a criminal aspect, what Ms Thompson did is illegal. The proof, which seemly handed by Ms Thompson herself, due to number of posts/articles, as well as poor opsec due to posting of the invoice. The public persona of Ms Thompson indicates her leaning towards hacking, and postings on the social media channels indicate admission. The prosecutors would have all the necessary evidences to convict Ms. Thompson, following the digital trail. In my opinion, seems like the prosecutors have an open/shut case in their hands.

Capital One was also dissected on social media for it’s role in the incident. The question remains if Capital One had done everything it possibly could to ensure such issues do not occur. Reading from the press release, it seems that Capital One looks to “augment routine automated scanning to look for this issue on a continuous basis”. Not sure how to interpret that, whether a routine automated scan has been recently introduced, or whether the scan itself was enhanced to include misconfiguration related issues.

What’s next?

Companies with cloud presence has a different set of security concerns to address. While traditional on-prem presence seems to indicate better control. Some quick action items to be done for organizations concerned with such issues

I. Train your staff on cloud security. It can be provider specific as well as provider agnostic.

II. Providers such as Amazon/Azure has configuration templates which can be used to securely roll out services. These configurations are secure by default and will not allow any insecure setup. Insecure setup should be reviewed and follow internal process for deployment and approval.

III. Deploy tools to check for misconfiguration on a periodic basis.

IV. Separate instances based on type environment – Development/Testing/Production

V. Enforce strict IAM/PAM (Identity Access Management/Privilege Access Management) to ensure access is managed effectively


  1. New York Times –
  2. TechRadar –
  3. CNET –
  4. US Dept of Justice –
  5. Capital One –
  6. NewsWeek –
  7. US Department of Justice – Case details –