Federal prosecutors this week charged a Seattle woman with stealing data from more than 100 million credit applications made with Capital One Financial Corp. Incredibly, much of this breach played out publicly over several months on social media and other open online platforms. What follows is a closer look at the accused, and what this incident may mean for consumers and businesses.
On July 29, FBI agents arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of Capital One credit application data from a rented cloud data server. Capital One said the incident affected approximately 100 million people in the United States and six million in Canada.
That data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers.
“Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised,” Capital One said in a statement posted to its site.
“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019,” the statement continues. “This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
The FBI says Capital One learned about the theft from a tip sent via email on July 17, which alerted the company that some of its leaked data was being stored out in the open on the software development platform Github. That Github account was for a user named “Netcrave,” which includes the resume and name of one Paige A. Thompson.
The complaint doesn’t explicitly name the cloud hosting provider from which the Capital One credit data was taken, but it does say the accused’s resume states that she worked as a systems engineer at the provider between 2015 and 2016. That resume, available on Gitlab here, reveals Thompson’s most recent employer was Amazon Inc.
Further investigation revealed that Thompson used the nickname “erratic” on Twitter, where she spoke openly over several months about finding huge stores of data intended to be secured on various Amazon instances.
According to the FBI, Thompson also used a public Meetup group under the same alias, where she invited others to join a Slack channel named “Netcrave Communications.”
KrebsOnSecurity was able to join this open Slack channel Monday evening and review many months of postings apparently made by Erratic about her personal life, interests and online explorations. One of the more interesting posts by Erratic on the Slack channel is a June 27 comment listing various databases she found by hacking into improperly secured Amazon cloud instances.
That posting suggests Erratic may also have located tens of gigabytes of data belonging to other major corporations:
Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts. In several conversations, Erratic makes references to running a botnet of sorts, although it is unclear how serious those claims were. Specifically, Erratic mentions one botnet involved in cryptojacking, which uses snippets of code installed on Web sites — often surreptitiously — designed to mine cryptocurrencies.
None of Erratic’s postings suggest Thompson sought to profit from selling the data taken from various Amazon cloud instances she was able to access. But it seems likely that at least some of that data could have been obtained by others who may have followed her activities on different social media platforms.
Ray Watson, a cybersecurity researcher at cloud security firm Masergy, said the Capital One incident contains the hallmarks of many other modern data breaches.
“The attacker was a former employee of the web hosting company involved, which is what is often referred to as insider threats,” Watson said. “She allegedly used web application firewall credentials to obtain privilege escalation. Also the use of Tor and an offshore VPN for obfuscation are commonly seen in similar data breaches.”
“The good news, however, is that Capital One Incidence Response was able to move quickly once they were informed of a possible breach via their Responsible Disclosure program, which is something a lot of other companies struggle with,” he continued.
In Capital One’s statement about the breach, company chairman and CEO Richard D. Fairbank said the financial institution fixed the configuration vulnerability that led to the data theft and promptly began working with federal law enforcement.
“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” Fairbank said. “While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Capital One says it will notify affected individuals via a variety of channels, and make free credit monitoring and identity protection available to everyone affected.
Bloomberg reports that in court on Monday, Thompson broke down and laid her head on the defense table during the hearing. She is charged with a single count of computer fraud and faces a maximum penalty of five years in prison and a $250,000 fine. Thompson will be held in custody until her bail hearing, which is set for August 1.
A copy of the complaint against Thompson is available here.
Update, 3:38 p.m. ET: I’ve reached out to several companies that appear to be listed in the last screenshot above. Infoblox [an advertiser on this site] responded with the following statement:
“Infoblox is aware of the pending investigation of the Capital One hacking attack, and that Infoblox is among the companies referenced in the suspected hacker’s alleged online communications. Infoblox is continuing to investigate the matter, but at this time there is no indication that Infoblox was in any way involved with the reported Capital One breach. Additionally, there is no indication of an intrusion or data breach involving Infoblox causing any customer data to be exposed.”
Am I missing something here? How did she exploit the actual WAF? People are suggesting she used the default admin credentials? But.. wouldn’t the admin console of a WAF only way accessible from the internal network? Kinda like your home router admin console can only accessed by the private IP.
The only other thing I can think of using is malformed requests like sql injection to elevate. Was the WAF not configured to block that?
I don’t think they did.
As I read the complaint, they ran a simple, three line program (using aws cli or one of the libraries like the powershell one) that used API credentials, did a “list buckets” then a “sync bucket”
the credentials were for “ISRM-WAF-Role” but an actual WAF wasn’t touched.
Speculation (and it’s just that at this time) is that “credentials” (access tokens, etc) were retrieved from the AWS Metadata API via a web application with a SSRF vulnerabilty. I guess the idea is that the WAF, if properly configured, should have prevent the SSRF exploit? Do a search on “exploiting AWS metadata service” for more infos.
Yup. Seen a few comments that make sense there; the WAF was apparently a third party, marketplace instance rather than AWS’ own, and for such instances, if you can induce them to connect to the http://169.254.169.254/ meta-data endpoint on your behalf, you can pull ephemeral API keys to use with AWS CLI.
That’s it. Then again, only assuming at this point really. Time will (hopefully) tell.
VPC = Amazon VPN essentially. She was on the VPC.
Actually, VPC = Virtual Private Cloud. That’s effectively the equivalent of a virtual datacenter within AWS. Customers can carve out multiple VPCs and have totally isolated environments.
One of several AWS services that allows customers to create a connection back to their on premise datacenter is a CGW (Customer Gateway) and is typically associated with either a site to site VPN or AWS DirectConnect. DirectConnect is a private MPLS connection whereas the VPN would be an IPSec tunnel back to VPN gateway on the remote end. Of course the VPN connected to the VPC is across the Internet.
Guys, keep in mind that even though they were using a WAF, the WAF is only as good as the security policy applied to it. WAFs can be very complex to manage and maintain and, in many cases, require the configuration to be modified as there are changes to the web application it’s protecting. If the customer makes changes to the application but doesn’t modify the WAF policy, they might be vulnerable to attacks focused in areas the WAF doesn’t know to protect.
There are WAFs on the market that don’t require constant care and feeding, but who knows which product they were actually using.
Please don’t comment if you have no clue what you’re talking about. VPC is a Virtual Private Cloud, not VPN. As others mentioned, it’s basically a virtual datacenter. Thanks for fake news.
It sounded like credential reuse. She may have found AWS IAM credentials that allowed her access to all sorts of S3 stuff. In the company I work for we’re pretty OCD about ensuring that IAM users for S3 access have really limited access – only to one bucket and only to the parts of that bucket that the application needs.
It sounds like she was doing a lot of attacks based on overly broad IAM users and lax aws IAM roles. I’m still curious how she initially got into the machine
It’s possible there was just a misconfigured EC2 instance that had those overly permissive IAM role/credentials available, and which could fetch the data from the S3 buckets.
I don’t really care about the breach.
I care that twitter memory-holed the perpetrator’s account for no reason other than being accused of a crime.
Tangentially, Erratic is no she. He clearly is a dude in costume.
If this individual tweeted about anything political that wasn’t left-leaning they’d have deleted that individuals account quickly. I don’t trust twitter and no one else should either. This individual needs mental help. Perhaps jail can be the start of the reform this individual needs.
Keith,
You should never refer to a mentally ill person as “an unnatural thing.”
There is a line and you crossed it.
how is this relevant or important?
“Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts.”
Because these are what are known as “indicators” of terrorists and other potential criminal activity, according to my annual IA awareness training.
Those who express frustration of their situations, inability to cope with life circumstances, or expressions of suicidal thoughts.
All indications that the person is unstable and likely to make poor judgement decisions.
BS… I take the same awareness training, and I know the cheesy vignette you are talking about.
It does NOT lump all mental health problems as indicators. There are none that mention gender identity or even depression.
They do, however, mention divorce and other financial stressors as indicators to look out for when it comes to insider threats.
REally you were trained? it does not sound like it, sounds like you need a lot more…. WOW!
Yes kid… I have taken the annual training many many times. Sick of it frankly.
But a kid of your age wouldn’t even be old enough to be included in the training.
Since you don’t know what is even being discussed here… let me break it down.
It is about spotting behavioral indicators of insider threats. Divorce, personal debt and gambling problems are big indicators. Being disgruntled at work definitely. There are several others. But none of them are based on depression, suicidal thoughts or gender identity.
That is just bigotry being expressed and trying to tie that to the training.
Luckily, there is other training available for that. See your SHARP advisor.
Because she has mental issues dude!
Not that it does not forgive her for the crime but it does maybe explain WHY she did it! Unhappiness, not maliciousness there is a HUGE difference… Maybe she was not in full control? Who knows..
People of today use all those reasons after they commit a crime in order to get a less sentence. No one wants to take responsibility for their actions
What? Personal responsibility?? What is that? I don’t think we’ve had that for a number of years now.
She was an insider threat aka this was an insider job. She already had the creds to move about.
If this hack was facilitated by insider knowledge, it seems to me that CapitalOne made a mistake by stating that Amazon was not at all responsible. Especially so early in the investigation. From a legal perspective, it seems to me it would have been better to keep quiet.
Completely agree… why is there not more in the mainstream news about Amazon’s role in this?
Also, did you notice is the criminal complaint that it references “the Cloud Computing Company” throughout the document and does not once mention AWS or Amazon. Why?
Did you hear Amazon is about to be awarded a fed gov. contract in upcoming months, think about it!!!!!!
Looks like that’s on hold for now: https://www.nytimes.com/2019/08/01/us/politics/amazon-pentagon-contract.html?action=click&module=Top%20Stories&pgtype=Homepage
Brian, Is “erratic” Thompson the same person that has been in discussions here over the past couple of months with the desire to sell or dump data hacked from big companies because they hate the United States, they are depressed, so on and so on? Another happy employee?
Also great work on fuel station credit card skimmer detection stories. Another place to look at is the “disgruntled employee” who places a skimmer on the inside backroom computer controller completely avoiding the card reader in the fuel dispenser (CRIND Unit) , this should force fuel station owners to secure the fuel controller computers so data cabling, USB ports and other access ports are fully secured against access.
In the old days the data thieves had to dumpster dive the credit card invoices for numbers to steal, now they just plug in a Bluetooth USB drive and wait for the customer to enter their info willingly.
When I read the “insider threat” mention in this article my sales jargon BS meter when red.
She worked at Amazon, so what? Unless they can say she used some secret Amazon backdoor or some unprovisioned rights from her time of employment then it isn’t an “insider threat”. It seems more likely that she was someone that had in depth knowledge of this public cloud computing platform that she was able to leverage to easily pivot and exfiltrate data via some (speculated) weak configuration management practices by CapitalOne. So, under that logic anyone that has used AWS that has a knowledge of the platform and tools could be seen as an “insider” which is a I feel is a bit of an excessive stretch of that term.
I’d be willing to bet once all the facts come to light this will likely be another instance of a breach caused by cloud consumer misconfiguration of a cloud platform vs a directly attributable breach due to the provided cloud infrastructure. If that is true, I think the silver lining here is from what I have read thus-far it sounds like CapitalOne wasn’t extremely negligent opposed to most other reported breaches caused due to setting data buckets to public access.
Some random security researcher said it’s an insider threat. That doesn’t make it so.
She hasn’t worked at AWS for 3 years. AWS employees do not have access to customer IAM credentials, which would be necessary to pull this off. Nevermind the fact the credentials compromised were IAM role credentials. Those rotate every 12 hours. So even if she had credentials by virtue at working at AWS (she doesn’t, as I know from experience), they would have been invalid no later than 12 hours after she stopped working for AWS.
The only thing working at AWS may have helped her with is knowing how the services work. But this is the exact same experience you would get working as an AWS architect for a third-party company.
how is this relevant or important?
“Erratic also posted frequently to Slack about her struggles with gender identity, lack of employment, and persistent suicidal thoughts.”
The only thing I can really come up with is it is somehow an excuse for their actions? Really shouldn’t matter if you ask me. They broke the law. I don’t care if they are transgender. Being transgender is not a get out of trouble free card.
She’s actually a HE… don’t let the media fool you!
I fully agree
u guys must be a lot of fun at parties
Eff her. She has “emotional” issues and screws over millions of people? Throw her in the can for 20 years, 30 years. Throw away the key. What an A-hole. Capital One should forgive all my debt as a penalty to them for leaving my info unsecured.
I want my Data Back!
This is the third breach of information I’ve been involved in.
1.) OPM (Office of Personal Management) Chinese
2.) Equifax
3.) Capital One VISA
We need strong Federal Laws protecting citizens from company collecting & storing any personal data.Period!
I understand your frustration, but don’t miss the fact that these companies are being victimized by criminals. Would you expect to be prosecuted for letting someone break into your home?
If I kept the personal belongings of 106M people in my home with the understanding I’d be keeping them all safe, then yes I might expect some repercussions.
Which is not to deny the culpability of a bad actor, but to *also* consider the culpability of a victim who has taken on responsibilities regarding the assets they hold on behalf of others. Essentially there were two ‘crimes’ taking place here.
If I store your stuff in my home and then let someone stroll in and take a bunch of it without even locking the door, then yes I would expect to be prosecuted.
He\She will probably get a stronger sentence than Equifax or Facebook respectively.
He\She will get say 2 years (maybe?) based on the breaches by Equifax and Facebook He\She should only be fined 1 months salary!
You’ve probably been involved in far more, just not knowingly. There’s been over a thousand in last year.
The real story here is the essential slap on the wrist penalty level for a crime that could result in ruined lives for innocent people. Even if found guilty and given the maximum penalty, there is little real punishment. There should be one count of the crime for each individual whose information was breached. It should be a capital crime. Treating such serious acts as if they are juvenile pranks is a big part of the problem.
Anyone know of a way to get or search the leaked data? Capital One claimed to the CFPB and the court they did not have application data in 2017 but this data leak may show otherwise. After the move to the cloud Capital One started to send cash advance checks to someone who’s account was closed 2 years before the cloud move (per public state court records) so this cloud move had problems.
This is how a hacker screams for help…
I am disappointed on how liberal (linient?) the prosecutor is. This person (he/she?) is just a small fish. The whole incident shows a systematic failure at the bank. The regulators must create an example by forcing the so called bank go out of business, that way other banks will learn hard lesson and start focusing on protecting their customer data. The very way such high quantity of data got breached looks silly to me. Could have easily stopped it with simple counter measures.
I feel the regulators Failed the Bank, they useally monitors and keep track on technology auditing. They are sending folks who don’t understand security.
Modify the post date please it is saying July 19 while the actual report date is 29.
General Bill, the date on the post is done in the following format:
DAY (DD – in big font)
Month (MMMM – in small font) Year (YY – in small font)
That 19 you are looking at is July 2019, not July 19, 2019
CapOne continually sends out invitations to apply for their CC products. They – and all the other marketers of FinSvcs buy mailing lists that include all sorts of PII – and those DM lists are available from many sources.
Why should we believe that our PII is safe in the hands of CapOne – or any other entity that stores our aggregated infos?
Brian thanks for putting this information together and sharing with the community at large. As with any breach we all can learn from this incident. Looking for techniques that can be deployed to prevent a similar incident if anyone cares to share their thoughts.
This should also apply to men who think they are men.
I heard a security guy on the radio this morning discussing how AWS has a default configuration for convenience and easy use, rather than being geared towards security. Apparently it cuts down on support costs.
I don’t know if that is true, but I imagine that it’s not too smart to leave things in their default state.
The other thing the guy mentioned is that the stolen data would’ve been in more than one folder or server. (Not sure which, it went over my head). He was suggesting that the data theft couldn’t have been done by just one person with 3 years old credentials.
So maybe it’s a bigger story.
That’s not true, Amazon’s defaults are reasonable. On the other hand, their S3 bucket permissions model and access control (IAM) is the most baroque misbegotten overengineered monstrosity imaginable, and it’s actually surprising misconfigurations like these aren’t found and exploited on a hourly basis.
That security guy has very little experience, from what I can tell.
1.) The default security group for the default VPC allows all traffic on all ports, sure. But if you’re deploying resources for a large bank, you would know to secure your stuff.
2.) IAM roles have no permissions by default. Meaning you can’t do anything to it. You have to specifically add permissions to allow it to do anything.
3.) ‘3 year old security credentials’ doesn’t make sense. This is an IAM role we’re talking about. IAM roles use temporary credentials that rotate every 12 hours. There’s absolutely no way the credentials were 3 years old.
The 3 year thing is likely alluding to the fact she worked for AWS as recently as 2016. But AWS employees, even those who work in security and IAM, don’t have access to IAM credentials for user accounts. And if a customer accidentally gives their credentials to AWS (say, when engaging AWS Support), AWS immediately scrubs that information from its servers and tells the customer to rotate their credentials.
Her experience at AWS may have given her some insight on some common misconfigurations and holes to poke at, but it wouldn’t get her access to customer credentials. And even if somehow she did get those credentials 3 years ago, the role credentials would’ve been good for precisely 12 hours.
I know all this from experience.
well that is all auditable in AWS Secrets
But I think the Complaint said she had inside info… and maybe that’s how the DOJ deduced this
Did you know the ARM architecture that powers all smartphones and much else besides, was designed by a trans woman (Sophie Wilson, born Roger)?
HR will fire you. And if they don’t. The company will be sued. And rightly so.
Ignorance should not influence hiring policy.
In this interview, Capital Ones CEO brags that their software “encrypts ALL data going to the cloud”. What happened, Rob?
https://www.wsj.com/amp/articles/BL-CIOB-11029?responsive=y
Details are not clear, but even if the data was encrypted, she may have known how to extract decryption keys from applications which accessed the data, based on insider knowledge.
From Capital Ones CIO interview in the Wall Street journal: “We launched a tool called Cloud Custodian that we built to ensure that we encrypt all data that goes to the cloud. Cloud Custodian monitors our deployment in the public cloud to make sure all the things we deploy comply. If something’s not encrypted, it will automatically encrypt it.”
If “all data” was encrypted, then there was no actual breach, correct?
Or did this banking executive, tell a bold faced lie to the American people?
I mean this could be a systematic failure where the encryption checkbox wasn’t selected during the creation of the bucket. Especially since the level of effort required by Paige thompson was very little. She claims she didn’t even know she was accessing unencrypted data.
So, um, just curious… Which prison will they be sending Ms. Erratic to? Men’s or womens?
I suspect she would find herself highly UNappreciated in a women’s prison. But she would probably be greeted with a warm reception in a men’s prison.
what does their gender have to do with this breach or blog post? you snow flakes always get so triggered by people who have a gender identity that offends you
Because hackers are 99.99% of the time male – this would be unusual if it was actually a female…
Since the crime was committed in Washington, it would fall under their state laws:
https://www.aclu-wa.org/docs/rights-transgender-people-washington-state
This case is federal, not prosecuted by the state of Washington.
Also, crime is considered to happen where the victim lives, not the origin of the perpetrator.
With computer crime, it is not feasible to consider the location of servers, victim company HQ, or possible distributed victims… so it’s just federal.
“You don’t hack a bank across state lines from your house, you’ll get nailed by the FBI”
-best movie of all time
The title of the e-mail alerting Capital One says “Leaked s3 data” and s3 is Amazon’s Simple Storage Service. Correct me if I’m wrong.
If other data stores were also accessed through Capital One’s s3 instance, that means that the internal security of the cloud has significant vulnerabilities. It reminds me of the Chinese CloudHopper campaign that was revealed a couple of years ago after having romped about in many cloud provider’s infrastructure for about five years.
I’m not persuaded that cloud providers are any better at security than the city of Baltimore.
There are a lot of transphobic comments on this article. This website is for computer security, comment on the crime at hand and post all of your transphobic nonsense on your own alt-right platform.
Brian Krebs has deleted some of it, but I think he’s getting overwhelmed trying to keep track and moderate.
I agree with that. What is relevant here is : what was extracted; how it was done; what configuration weaknesses allowed this to happen; who may have accessed the exfiltrated data; and what harm may have resulted from any third-party access to that data.
All discussions about the personal life of the former Amazon-employed systems engineer are irrelevant. Discussions about detecting possible “insider threats” from current or former employees may be relevant but are likely to go rapidly off-topic.
Brian is perhaps best placed to comment on the possible uses – or rather misuses – of the classes of data relating to individual applicants. Identity theft and fraud seem the most likely.
Please try to keep on topic. Let’s avoid turning this forum into yet another place to have divisive political fights.
Don’t invent words or be a tattle tale.
We should continue to call out these bigots for what they are. Shame them back into the shadows, as they whine about 1st amendment rights. They can have their rights in their own, ignored corners of the dark web, with the rest of the filth.
The breach began in March, and went undetected through Mid july? Was there no form of monitoring on their S3 buckets to check for unusual traffic patterns or behavior? And no form of threat intelligence program in place to monitor social media, forums, dark web, etc for hints of breaches? The only thing in place was a tip line/tip email box to place the burden of intel on random tipsters? As a large financial with customers sensitive info across the USA and Canada? Seriously?
Great points! She did a service to society by exposing CapitalOne’s negligence in protecting our personal information.
Great questions. I would think an institution of that size would be using some kind of threat intelligence.
For a company whose CIO and CEO have been constantly boasting about being first to cloud, cloud journey, cloud transformation (all while simultaneously proclaiming that their customers data was infinitely more secure in the cloud than in their private data centers), this is a huge black eye to Rich and Rob’s professional legacy’s. If only they would have spent some of that boasting effort towards ensuring that basic security practices were consistently being practiced on their cloud based infrastructures, this would not have happened. One of them (both?) needs to accept accountability and full responsibility for this massive breach.
When you put mission critical information into a cloud “bucket” called “Simple Storage”, maybe you should re-think the risk.
That PII information should have been stored in an encrypted database with iron clad access control. The fact that *anyone* outside of Capital One’s team could possibly access the storage and read the contents is a HUGE security failure.
The truth is there is nothing simple about S3 and IAM. From what we see here, it appears this attacker was able to launch a machine into their VPC, and assign an IAM role to the machine with access to the data. Leaving aside whatever flaws this reveals about the application encryption model of CapitalOne, it raises a lot of red flags about i.e controls over the management plane which allowed a remote user to bring up a machine in a production VPC, assign roles, etc.
AWS doesn’t claim to be a security panacea, only to offer robust tooling to secure applications. This breach doesn’t appear to have compromised the AWS control lane itself, but rather to illustrate fairly glaring configuration oversight shortcomings at CapitalOne.
Brian, What’s your take on the part of the report that says credit card numbers and 99% of SSNs were not compromised because Cap One used Tokenization instead of encryption on those data elements? Seems like they encrypted the other PII, which was the focus of the data breach, and the ability to decrypt was possible. Just curious if you believe there is any silver lining with this part of their data protection strategy.
If AWS implements a service similar like https://cloud.google.com/vpc-service-controls/ like in Google Cloud Platform and Capital One uses the service, Erratic would have no way to take the large amount of data out of the S3. It is fair to say both AWS and Capital One can do better.
Has this person never heard of opsec? sharing details of their personal life in the same Slack as the one where they are discussing the cybercriminal ventures.
What a joke