Capital One Financial Corporation has discovered a massive cybersecurity breach that has affected 100 million individuals in the United States and approximately 6 million in Canada. The breach involved a misconfigured Web application firewall (WAF) on Amazon Web Services (AWS).
“AWS was not compromised in any way and functioned as designed. The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud.”
It’s the latest in a long list of data breaches and information leaks involving misconfigured AWS cloud buckets.
Here are 10 things to know about the Capital One Breach.
1. Date of Discovery: Capital One on July 19, 2019, determined that the financial services company suffered an “unauthorized access by an outside individual.”
2. Security Hole Closed: Capital One immediately “fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement.”
3. Suspect Arrested: The FBI has arrested the person responsible. Based on the company’s analysis to date, Capital One believes it is unlikely that the information was used for fraud or disseminated by this individual, though the investigation is ongoing.
4. Suspect Name: The FBI arrested Paige A. Thompson (a.k.a. “erratic”) for the alleged data theft, according to The Department of Justice.
5. Elements of the Alleged Crime: The intrusion occurred through a misconfigured web application firewall that enabled access to the data, the Department of Justice says. Thompson allegedly posted information on GitHub that was related to the alleged crime. She was arrested and has been detained pending an August 1 hearing, The Department of Justice says.
6. Size of Breach: The breach affected approximately 100 million individuals in the United States and approximately 6 million in Canada. Still, no credit card account numbers or log-in credentials were compromised.
7. Social Security Numbers: About 140,000 Social Security numbers of Capital One’s credit card customers were lifted. About 80,000 linked bank account numbers for secured credit card customers were lifted. And approximately 1 million Social Insurance Numbers for Canadian customers were compromised in this incident.
8. Next Steps: Capital one expects to “notify affected individuals through a variety of channels. We will make free credit monitoring and identity protection available to everyone affected.”
9. Executive Apology: In a statement, Capital One CEO Richard D. Fairbank said: “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
10. MSSPs and Cyber Investigators: The company did not disclose which partners, if any, are assisting the investigation.