So you thought giant corporations are safe? Think again.
Capitol One Financial Corporation has an email address where people can send any information or tip that might be useful for them. This does not exclude “white hat” hackers who are fundamentally computer guys who find possible vulnerabilities in their computer system. Amazingly enough, on July 17, they got one.
“Hello there,” the email said, according to federal prosecutors. “There appears to be some leaked S3 data of yours in someone’s github/gist.” A link was provided to an account at GitHub, a company that allows users to manage and store project revisions, mostly related to software development.
They did not take long to narrow it down and found out who had accessed the files. The GitHub address included a name, Paige Thompson, a former Amazon.com Inc. employee who used the online nickname “erratic” and discussed her exploits with others, according to federal prosecutors.
On Twitter, Thompson identified herself as a transgender woman. Using the alias “erratic”, she basically wrote on June 18 on a twitter message that she posted that “I’ve basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting it,” Thompson allegedly wrote, “There ssns…with full name and dob”.
So what kind has of damage has it done? Capitol One did not take much time to assess the damage. 100 million people in the US and 6 million in Canada are part of the said breach.The illegally accessed data, which was stored on servers rented from Amazon Web Services, was primarily related to credit card applications and included personal information, like names, addresses and dates of birth, and some financial information, including self-reported income and credit scores.
Although most of the Social Security Numbers were protected, there are still roughly 140,000 that got compromised. Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual.”
So who is this person who tipped off Capitol One? The company characterized the tipster to the hack as an “external security researcher.”
Paige Thompson, aged 33, was charged with computer fraud and abuse.
This could possibly one of the largest-ever scale breach that had impacted a U.S. bank. There are multiple scenarios and possibilities that might happen. They are still assessing if the data has been distributed to others and possibly used for fraud.
Security breaches like this shows how hackers can steal gigantic amounts of data as a result of lapses made by companies. Failing to patch a known flaw can critically impact how easily your systems can fall prey to hacking.
In the Capital One case, Thompson was allegedly able to steal vast buckets of personal data because of an improperly configured firewall — among the most basic digital security tools. The bank said it immediately fixed the problem once it was discovered.
The DOJ said the GitHub file “contained the IP address for a specific server” of Capital One, which had “a firewall mis-configuration.” That “permitted commands to reach and be executed by that service, which enabled access to folders or buckets of data in Capital One’s storage space the Cloud Computing Company,” investigators said.
In a complaint filed Monday in Seattle, prosecutors said that Thompson accessed the data at various times between March 12 and July 17. A file on her GitHub account, timestamped April 21, contained a list of more than 700 folders and buckets of data, according to prosecutors.
Though the charges against Thompson refer to information stored on S3 (Simple Storage Service) which is an Amazon Web Service data storage software.
An AWS spokesman confirmed that the company’s cloud had stored the Capital One data that was allegedly stolen, and said it wasn’t accessed through a breach or vulnerability in its systems.
