04 Aug How the Accused Capital One Hacker Stole Reams of Data From…
The woman who allegedly pulled off one of the largest-ever bank-data heists appeared to have exploited a vulnerability in the cloud that security experts have warned about for years.
Paige A. Thompson, a former employee at
’s cloud-computing unit who was arrested Monday, is accused of carrying out the massive theft of 106 million
Capital One Financial
Capital One has said “a specific configuration vulnerability” led to the data loss.
Ms. Thompson was allegedly able to find an opening in Capital One’s systems and exploit a weakness in some misconfigured networks, according to a Wall Street Journal analysis of hundreds of Ms. Thompson’s online messages and interviews with people familiar with the investigation. Security professionals for years have warned about that gap, which the messages and interviews suggest she used to trick a system in the cloud to uncover the sensitive credentials she needed to access the vast number of customer records.
Ms. Thompson, in online messages in accounts that prosecutors have said were hers, claimed to have also applied those techniques to access a trove of online data from other organizations. The messages were posted in online forums.
Ms. Thompson’s lawyer didn’t respond to requests for comment. She remains in detention and is scheduled for a bail hearing on Aug. 15.
At the heart of the digital break-in was Ms. Thompson’s apparent ability to tap into a central piece of Amazon’s cloud technology known as its metadata service. It holds the credentials and other data needed to manage servers in the cloud. The credentials effectively are the computer world’s equivalent to the keys to a bank vault.
In the first step of her alleged hack that began in March, according to her online postings, Ms. Thompson ran a scan of the internet to find vulnerable computers that could give her access to a company’s internal networks. Effectively, she knocked on many front doors to hunt for ones that were unlocked.
In the case of Capital One, she found an unsecured computer that provided the portal between the company’s secured network and the public internet, according to people familiar with the investigation. The door was open.
Through that opening, she was able to send a request to the Amazon cloud metadata tool kit for the credentials needed to search Capital One’s cloud-stored data, the people said.
“Dude so many people are doing it wrong,” Ms. Thompson said in a June 27 online message, referring to how some companies were incorrectly configuring their servers.
With the credentials retrieved from the metadata tool kit, she was able to find Capital One data and then easily download the information, the people familiar with the investigation said. All, apparently, without triggering any alerts.
Share Your Thoughts
Have you taken any preventative measures in case your bank is hacked? Which ones? Join the conversation below.
Amazon said in a statement that none of its services—including the metadata service—were the underlying cause of the break-in and that it offers monitoring tools designed to detect this type of incident.
It is unclear why none of these alerting tools appear to have triggered alarm bells at Capital One.
A Federal Bureau of Investigation affidavit said a Capital One error enabled the breach. Capital One said it now has fixed the configuration problem.
Some security experts say that Amazon should do more to alert its customers about these configuration errors. Others say, given that cloud security is a shared responsibility, corporate customers have to do their part.
Amazon has said it has several tools to help mitigate configuration slip-ups.
Prosecutors have said that Ms. Thompson began her hacking on March 12, but Capital One didn’t learn of it until it was tipped off by an outside researcher 127 days later.
Security professionals have known about one of these misconfiguration problems—the ability to pilfer credentials from the metadata service—since at least 2014, said Scott Piper, who advises companies on their Amazon cloud security. Amazon has considered it the customer’s responsibility to eradicate them, he said, and some customers have failed to do so.
Brennon Thomas, a security researcher, conducted an internet scan in February and found more than 800 Amazon accounts that allowed similar access to the metadata service. Amazon’s cloud-computing service boasts more than one million users.
Mr. Thomas said the problem of misconfigured servers enabling outsiders to access sensitive metadata isn’t limited to Amazon Web Services, or AWS. His test also found problems with systems running on
’s cloud. Microsoft didn’t respond to requests for comment.
That Capital One was a victim has surprised some researchers. The bank performed extensive due diligence before deciding, in 2015, to embrace the cloud, company officials have said. “Capital One is well-known among people that do cloud security for having one of the strongest teams out there,” Mr. Piper said.
The Capital One data breach isn’t the first time data stored in the cloud has been stolen. But the fact that the fifth-largest U.S. credit-card issuer has become a victim is reviving concerns about cloud computing. Capital One was an early adopter of cloud computing and is featured as a case study on the AWS website.