Assignment 1

Capital One Data Breach

Cloud Architecture and
Administration
Security Management
SEC715NBB.08077.2231
Winter 2023 Semester 1
 2

Contents
Introduction................................................................................................................................................3
Summary of the Breach..............................................................................................................................3
Technical Details of the Breach..................................................................................................................4
Initial Access............................................................................................................................................4
Execution.................................................................................................................................................4
Goal.........................................................................................................................................................4
Mistake...................................................................................................................................................4
What steps did Capital One and AWS take after the breach?...............................................................4
Comparison to Similar Breaches.................................................................................................................5
Impacts of the breach.................................................................................................................................5
Short Term Impacts.................................................................................................................................5
Long Term Impacts..................................................................................................................................6
Proposed Corrective Action........................................................................................................................6
References..................................................................................................................................................7
 3

Introduction

Capital One is a well-renowned bank and financial organization helping their customer with
credit solutions in countries including Canada, the United States of America, and the United
Kingdom.
In 2019 data from Capital One was compromised affecting more than 100 million customers as
their information like name, address, Canadian Social Insurance Number, and credit score was
left exposed. Furthermore, 140,000 social security numbers and about 80,000 bank information
were accessed by the hacker.

Summary of the Breach

The breach took place on March 2019, in which the hacker gained access to the PII of
customers in the region of the United States and Canada.
The hacker was able to the breach using the misconfiguration of the firewall in AWS. The hacker
used this vulnerability to gain unauthorized access to the data that was stored in AWS S3
buckets.
Capital One came to know about the incident on July 19, 2019, from an external cybersecurity
enthusiast through their Responsible Disclosure Program where ethical security researchers can
report vulnerabilities. Furthermore, the actor was investigated and arrested by the FBI. The
hacker who was responsible for the incident was a former AWS employee namely Paige
Thompson and she was sentenced to 5 years in prison following the investigation. According to
Rhino Security Labs, the actor withdrew the data from S3 Bucket and saved it to GitHub under
their real name and they also boasted about stealing the data on Twitter (Rhino Security Labs).
According to capital one, the information accessed by the actor was largely under the category
of information on consumers and small businesses who applied for a credit card in between
2005 and early 2019 and no credit card account numbers or log-in credentials were
compromised. There was no evidence that the breached data was used for fraud or shared by
the actor and all the data was successfully recovered (Capital One).
 4

Technical Details of the Breach

The technical details were drawn from the evidence from the GitHub file containing the leaked
data.

Initial Access
The hacker found the vulnerability which was misconfigured firewall which allowed the attacker
to use commands to reach and be executed by the server, which had enabled access to folders
or an S3 bucket that was used to store the data of Capital one.

Execution
The actor used three commands to execute this breach, first command was executed to obtain
security credentials for an account that enabled access to folders in the S3 bucket. The
username looked like *****-WAF-Role where “*” is undisclosed by the FBI and Capital One.
This was the IAM role. Then the attacker used another command to list all files in the S3 bucket
which was accessible by the given role. Finally, the attacker used the sync command to copy all
the data available in the bucket to somewhere else.
The attacker used a combination of VPN provided by ipredator and The Onion Routing known
as TOR to hide their IP, as it was seen in the logs that the S3 bucket was tried to be accessed
from TOR exit nodes and the IP addresses which were owned by ipredator.

Goal
The goal of the attacker was to gain credentials with access to the data available. However,
according to Amazon Web Service, this vulnerability could be found by anyone, and is not sure
if the attack was targeted or accidental. Once the hacker had access to the data, they wanted to
save it for future use but were looking to get rid of it from their server or system.

Mistake
The actor exfiltrated the data to a GitHub file under their real name and had been boasting
about it on social media. The undisclosed ethical security person sent the email with the GitHub
repository link to Capital One letting them know that their data were exposed.

What steps did Capital One and AWS take after the breach?
Capital One immediately acknowledged that their data has been breached and investigated the
incident, first they notified their customer about the breach and started the investigation
process along with law enforcement and cybersecurity experts. They took steps to secure their
cloud infrastructure and provided customer support to the affected customers.
As the breach was taken place in the AWS platform, after the breach was notified, they took
steps to help and secure Capital One resources. They took the following steps together:
 Investigate: They worked together to determine the extent of the damage.
 5

 Remediate: They worked together to secure the infrastructure and prevent further
breaches. They also worked to patch the misconfiguration.
 Best Practices: Capital One took precautions of best practices from AWS and
implemented them in their cloud infrastructure.
 Continuous Monitoring and Customer Support: AWS provided further support and
monitoring to the cloud infrastructure of Capital One. They also worked together to
notify the affected customers and kept them updated.

Comparison to Similar Breaches

Misconfiguration is one of the common vulnerabilities in cloud infrastructure, there have been
many cases of data breaches that took place by exploiting a similar vulnerability. Another
similar data breach took place in 2017 and the victim was Equifax. In both breaches, a huge
number of sensitive personal information was exposed. Furthermore, both breaches affected
the stored data in cloud infrastructure. The breach on Capital One was due to a
misconfiguration in a cloud infrastructure hosted by Amazon Web Service whereas, in the
breach of Equifax, the attacker exploited the misconfiguration of Equifax’s web application
software ran in Apache Struts. Both breaches ended up in the exposure of millions of
customers’ Personal Identifiable Information. Both organizations took similar response and
remediation methods which were notifying the consumers, working with cybersecurity experts
and law enforcement, patching the vulnerability, and securing the infrastructure.

Impacts of the breach

Short Term Impacts
Following the data breach, Capital One had to go through different events, first, the breach had
much sensitive data exposed on the internet. This made them legally liable. The organization
was sued and later the lawsuit was settled for $190 million (13WIBW). There were other
financial costs required for investigation and customer support.
This caused reputational damage to the organization, which led the public to lose trust in the
organization as they were concerned about the security of their personal information.
Furthermore, the organization had to provide free credit monitoring and identity theft
protection services to affected customers although it might not protect them from identity
theft.
After the breach, dozens of cybersecurity personnel resigned from their position. Some of the
major resignations were Richard D. Fairbank, who stepped down as the CEO. He was the CEO
and founder of Capital One. Rob Alexander, the Chief Information Officer of Capital One
 6

resigned when the breach was disclosed as he was responsible for the organization’s
information security operations. Chief Legal Officer as well as Chief Risk Officer stepped down
from their position after the breach. This shows how it impacted Capital One’s leadership.

Long Term Impacts

One of the serious impacts was on the individuals whose information was revealed, as they are
now always at high risk of identity theft and other types of fraud. This might cause an impact on
their financial and personal well-being.
More security measures are now implemented by Capital One like sophisticated fraud systems
which will allow the organization to detect any anomaly.
Furthermore, customers have been asked to enroll themselves in credit card account alerts to
help them keep track of activity on their accounts (Capital One). They have also enabled Multi-
Factor Authentication and sent awareness to their customers to monitor their credit card
accounts and notify the organization if they notice any activity they do not recognize (Capital
One).

Proposed Corrective Action

The data breach took place because of a misconfiguration which can be corrected easily, but
there must be other precautions for data handling and its safety. First, the employees must be
trained and have the necessary skill sets to secure the cloud infrastructure. This will help to
prevent such vulnerability in the future. Even when the attacker got into the server and
accessed the S3 bucket the data migration could have been prevented.
Furthermore, the organization could take the following actions:
 Review and improve information security by securing its systems and networks,
enhancing data protection and encryption methods, implementing additional security
controls, and other areas that require improvement.
 Constantly reviewing and updating software security ensuring that any vulnerabilities
are investigated in a timely manner.
 Build an incident response team and improve their incident response processes so that
they can respond to data breaches efficiently.
 7

References

Beardsley, Tod. " Breaches are out there, but that doesn’t mean you have to be a target."
Rapid7, Apr. 2022, https://www.rapid7.com/thank-you/2022-cloud-misconfigurations-report/

Colby, Clifford. “Capital One data breach: What you can do now following bank hack.” CNET,
Aug. 2019, https://www.cnet.com/tech/computing/capital-one-data-breach-what-you-can-do-
now-following-bank-hack/

Anderson, Jeffrey.” The Capital One Breach & “cloud_breach_s3” CloudGoat Scenario.” Rhino
Security Lab, 2019, https://rhinosecuritylabs.com/aws/capital-one-cloud_breach_s3-
cloudgoat/#:~:text=Technical%20Details%20of%20the%20Capital%20One%20Breach
%20Based,charging%20documents%20break%20it%20down%20into%203%20steps%3A

Covert, Edwin. “Case Study: AWS and Capital One.” System Weakness, May. 2021,
https://systemweakness.com/case-study-aws-and-capital-one-c4ad6cb71c79

Stella, Josh. “A Technical Analysis of the Capital One Cloud Misconfiguration Breach.” Fugue,
Aug. 2019. https://www.fugue.co/blog/a-technical-analysis-of-the-capital-one-cloud-
misconfiguration-breach

Capital One. " Information on the Capital One cyber incident." Capital One, 22 April 2022,
https://library.senecacollege.ca/mla/websites

Whalen, Tori. “Customers affected by Capital One data breach have limited days to file a claim.”
13WIBW, Sep. 2022, https://www.wibw.com/2022/09/08/customers-affected-by-capital-one-
data-breach-have-limited-days-file-claim/
8