Cloud Security, The Capital One Case, and The Shared Security Model
In this article, We will talk about the importance of the human factor in cloud security. In this context, we will examine the Capital One case and draw attention to the outcome of the case and the lessons to be learned from it, “What were the company’s mistakes?” “What could have been done to prevent it?”. We will talk about what changes it has caused in the IT industry. Finally, we will talk about the Shared Responsibility Model.
Topics we will cover:
1. Changing Questions and Rules
2. Capital One Case
3. The Result Of The Court
4. Company’s Mistakes
5. The Shared Security Model
6. As a result
7. Next post: “AWS Best Practices for DDoS Mitigation and Security Techniques”
8. References
If you like the article, I will be happy if you click the Medium Follow button to encourage me to write more, and not miss future articles.
Your clapping, following, or subscribing helps my articles to reach a broader audience. Thank you in advance for them.
1. Changing Questions and Rules
When I saw this question asked to candidate personnel in an IT job posting, the Capital One case came to my mind. This incident caused new regulations in many areas of the IT sector, from Cloud Security to Personnel Recruitment. Especially in the recruitment of Cloud and DevOps engineers to whom you will entrust all the passwords and security systems of the company as seen in the picture below.
After the Capital One case, the questions and rules began to change.
“Are you willing to take a drug test, in accordance with local law/regulations? (required to be filled)
o Yes
o No”
2. Capital One Case
If you want, let’s remember the Capital One incident and its consequences again;
Capital One, the fifth largest credit card issuer in the United States, suffered a data breach that exposed the personal information of more than 106 million credit card applicants in the United States and Canada in 2019. (1)
Capital One learned about the theft from a tip sent via email, which alerted the company that some of its leaked data was being stored out in the open on the software development platform GitHub. That Github account was for a user named “Netcrave,” which includes the resume and name of one Paige A. Thompson. (2)
Thompson was a former employee of Amazon Web Services, which is Amazon’s cloud computing division. Thompson was a systems engineer at AWS between 2015 and 2016, about three years before the breach took place. Capital One has been enthusiastic about using cloud technology to store its data in recent years and has been a big customer of AWS’ cloud platform for some time. (1)
After boasting about the data breach on Twitter and other social media in 2019, Thompson was reported as above and subsequently caught. (3)
FBI agents arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of Capital One credit application data from a rented cloud data server. Capital One said the incident affected approximately 100 million people in the United States and six million in Canada and the attacker stole the information of customers who applied for credit cards between 2005 and 2019. That data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers (2). While the financial services giant said it immediately fixed the issue and alerted the FBI, it was still one of the largest financial data breaches to date. (4)
According to court documents, Thomson allegedly exploited a misconfigured firewall on Capital One’s Amazon Web Services cloud server and unauthorizedly stole more than 700 folders of data stored on that server sometime in 2019. (5)
According to Ray Watson, a cybersecurity researcher at cloud security firm Masergy; “The attacker was a former employee of the web hosting company involved, which is what is often referred to as insider threats. She used web application firewall credentials to obtain privilege escalation” (2). Her experience at AWS may have given her some insight into some common misconfigurations and holes to poke at.
Further investigation revealed that Thompson used the nickname “erratic” on Twitter, where she spoke openly over several months about finding huge stores of data intended to be secured on various Amazon instances. (2)
Thompson also used a public Meetup group under the same alias (erratic), where she invited others to join a Slack channel named “Netcrave Communications.” One of the more interesting posts by Erratic on the Slack channel is a June 27 comment listing various databases she found by hacking into improperly secured Amazon cloud instances. That posting suggests Erratic may also have located tens of gigabytes of data belonging to other major corporations:
According to Erratic’s posts on Slack, the two items in the list above beginning with “ISRM-WAF” belong to Capital One.
3. The Result Of The Court
Because of all this, Thompson was expected to be sentenced at his hearing in September 2020. Wire fraud convictions face up to 20 years in prison, according to the DOJ (=Department of Justice). (4)
Surprising result
Paige Thompson was sentenced and his court concluded in October 2022. Thompson was found guilty of wire fraud, five counts of unauthorized access to a protected computer and damaging a protected computer.
Paige Thompson who stole 106 million people’s personal info from Capital One, costing the company at least $270 million, was sentenced to just five years probation in a Washington court. Prosecutors said they were “disappointed” at Paige Thompson’s sentencing, though the hacker argued she never misused the more than 100 million users’ data. Judge Robert Lasnick said prison would be especially difficult for Thompson “because of her mental health and transgender status”. (3)
U.S. Attorney’s Office, Western District of Washington, (Tuesday, October 4, 2022) Press Release (7):
Thompson hacked clients of Amazon Web Services including Capital One, Michigan State, and more than two dozen other entities and businesses.
Seattle — A 37-year-old former Seattle tech worker was sentenced today in U.S. District Court in Seattle to time served and 5 years of probation including location and computer monitoring for seven federal crimes connected to her scheme to hack into cloud computer data storage accounts and steal data and computer power for her own benefit, announced U.S. Attorney Nick Brown. Paige A. Thompson a/k/a ‘erratic,’ was arrested in July 2019, after Capital One alerted the FBI to Thompson’s hacking activity. A federal jury found her guilty in June 2022, following a seven-day trial. At the sentencing hearing U.S. District Judge Robert S. Lasnik said, time in prison would be particularly difficult for Ms. Thompson because of her mental health and transgender status. “While we understand the mitigating factors, we are very disappointed with the court’s sentencing decision. This is not what justice looks like,” said U.S. Attorney Nick Brown. “Ms. Thompson’s hacking and theft of information of 100 million people did more than $250 million in damage to companies and individuals. Her cybercrimes created anxiety for millions of people who are justifiably concerned about their private information. This conduct deserves a more significant sanction.”
Capital One reached a settlement of $190 million with affected customers and was fined $80 million by the Treasury Department. (3)
4. Company’s Mistakes
Capital One, on the other hand, has long dragged its feet on updating its lax cybersecurity methodologies. Reports in 2019 showed that even before the hack, some cybersecurity employees at Capital One said the company had failed to fix firewall vulnerabilities. The company also had not installed software it had previously purchased that would have helped it detect breaches.
Victims of the hack will receive money from a settlement stemming from a class-action lawsuit that alleged the company was negligent in its cybersecurity methods.
In 2020, the US Department of the Treasury’s Office of the Comptroller of Currency investigated Capital One and found that the bank ignored obvious problems with its cloud-based systems and their own internal audits routinely failed to recognize those faults.
The OCC (Office of the Comptroller of the Currency) determined the bank had to pay a $80 million fine and appoint a committee to oversee the bank’s cybersecurity standards. (3)
As a result of the data breach that used misconfigured firewalls, Capital One was fined $80 million and settled customer lawsuits for $190 million, on top of facing raised privacy concerns, $270 million in total. (4)
Though Capital One said there was no evidence the stolen data was used for fraud, analysis proved difficult. Nearly two years after Capital One issued a statement on the breach, it revealed additional Social Security numbers were among the accessed data. Court documents on the settlement agreement also showed Capital One agreed to enhance the company’s cloud security standards, procedures and controls, including the implementation of additional cloud security controls.
The breach put cloud security at the forefront of many enterprises.
5. The Shared Security Model
Before the attack, there was a misconception that cloud companies would handle security and that default settings were sufficient, said John Bambenek, principal threat hunter at Netenrich.
“The reality is, the shared security model requires users to make sure that their cloud environments are secure, and that data does not accidentally leak,” Bambenek said in an email to SearchSecurity. (4)
Security and Compliance is a shared responsibility between Cloud and the customer. All Cloud companies have clearly defined what to do and the limits in this subject:
We can point to the Capital One case as one of the best examples of the devastating consequences of not understanding these responsibilities.
It will be useful to apply “Best Practices” to fulfill customer responsibility. For examples:
etc.
6. As a Result
Before the attack, the misconception that “cloud companies will undertake security and default settings will be sufficient” has changed. Security and Compliance is a shared responsibility between Cloud and the customer and its requirements must be fulfilled very well.
Even though hackers are not fully punished by the court, companies suffer a great loss of reputation and have to pay large compensations. The importance of staff working on cloud security was clearly seen.
This incident caused companies to add different control items to their recruitment procedures. The reliability of the engineers to whom you will entrust all your passwords and security systems has now become an important issue for companies.
I would like to state clearly here that it does not seem appropriate for me to brand the entire group, of which Paige A. Thompson is a member, in this way. Crime is personal and a group cannot be lynched because of one person’s mistake. Making such a selection while hiring would be a great misfortune for the companies and a great disgrace and shame on its history.
If you liked the article, I would be happy if you click on the Medium Following button to encourage me to write and not miss future articles.
Your clapping, following, or subscribing, they help my articles to reach a broader audience. Thank you in advance for them.
For more info and questions, don’t hesitate to get in touch with me on Linkedin or Medium.
7. Next post
In the next post, “AWS Best Practices for DDoS Mitigation and Security Techniques”.
We will create the necessary environment to mitigate DDoS attacks by using “AWS Best Practices”. Then, we will test it on a web application that we will build. Finally, we will examine and analyze the output on AWS WAF dashboard charts and CloudWatch, step by step.
Before reading this article, I recommend you review my article linked below.
Happy Clouding…
Don’t forget to follow my LinkedIn or Medium account to be informed about new articles.
8. References
(1) https://apnews.com/article/46b26d0e06b14bff93db28cd4df53587
(2) https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/
(3) https://gizmodo-com.translate.goog/capital-one-hacker-paige-thompson-sentenced-probation-1849618543?_x_tr_sl=en&_x_tr_tl=tr&_x_tr_hl=tr&_x_tr_pto=sc
(4) https://www.techtarget.com/searchsecurity/news/252521775/Paige-Thompson-found-guilty-in-2019-Capital-One-data-breach
(5) https://www.siberguvenlik.web.tr/index.php/2019/07/30/yeni-bir-veri-sizintisi-daha/
(6) https://www.justice.gov/usao-wdwa/press-release/file/1188626/download
(7) https://www.justice.gov/usao-wdwa/pr/former-hacker-sentenced-stealing-computer-power-mine-cryptocurrency-and-stealing
