When is a hack a hack? What makes a breach a breach? And who is to blame when a company loses a massive trove of data that it failed to properly protect?
The Capital One incident, which has resulted in about 106 million people in the U.S. and Canada waking up to the realization that their personal details have been hijacked, brings these questions to the forefront of the conversation. Someone is responsible—but who?
“It is a good example of something that has a little bit of everything in terms of classification,” Chris Boyd, a lead intelligence analyst at Malwarebytes, told Newsweek.
“I wouldn’t class it as a data leak, because the information wasn’t sitting out in the open for anyone to view or spilling out of its own accord—the attacker had to deliberately make use of specific commands to enumerate and download it,” Boyd continued.
“It isn’t so much whether it’s a ‘hack versus a breach,’ so much as it is someone making use of a hack to breach the bucket and take ownership of data that wasn’t properly secured. Outside of the debate as to what it category it falls under, the impact on the victim is still the same.”
The financial services giant says an individual was able to exploit a “configuration vulnerability” to steal sensitive records held in an Amazon Web Services (AWS) database. Experts note AWS leaks are common in cybersecurity circles as researchers routinely discover—then responsibly disclose—instances of data being left on the cloud without adequate protection.
The Capital One cyber-incident, by contrast, has resulted in the arrest of a 33-year-old software engineer from Seattle: Paige A. Thompson, who used the pseudonym “erratic.” The FBI says Thompson now faces a charge of computer fraud and abuse after being caught red-handed in possession of the bank’s records and allegedly discussing plans to “distribute” the data.
At this stage, the suspect’s intentions and motivations remain murky.
“No-one authorized Thompson to break through the ‘firewall’ as it’s being called, and download data,” Elissa Shevinsky, the CEO of cybersecurity company Faster Than Light, tells Newsweek.
“Thompson has been arrested and charged with violation of the CFAA [Computer Fraud and Abuse Act], that’s a clear indication that this is being categorized as a ‘hacking’ crime by the government. I’m sure the infosec community will agree,” Shevinsky added.
“I wish that this case were unique. Unfortunately, these situations—where an application guarding an AWS instance is misconfigured—are all too common. In 2018, it was popular for hackers to use misconfigured ‘Docker’ containers in order to gain access to cloud instances. Hackers would then use those instances to mine for [the cryptocurrency] Monero.”
The files extracted from Capital One’s misconfigured database were vast. Despite the legalese, it was pretty much impossible for the bank to downplay the severity of the incident.
However it was defined, the seemingly-calculated theft resulted in the loss of names, addresses, postal codes, phone numbers, email addresses, dates of birth, self-reported incomes, credit scores, credit limits, balances, payment history and contact records from 2005 to 2019.
In addition, data included about 140,000 social security numbers of credit card customers and about 80,000 linked bank account numbers of secured credit card customers. In bad news for Canadian customers, about 1 million Social Insurance Numbers were also pilfered.
It is believed the data was first accessed in March.
The trove of files was brought to Capital One’s attention via an email address dedicated to bug reporting. On July 17, a GitHub user alerted the bank that its code had been spotted online.
According to a criminal complaint published by the U.S. Department of Justice (DoJ), federal investigators determined the GitHub file contained code that, when executed, could be used to “extract or copy data from folders or buckets in Capital One’s storage space.”
Capital One said computer log analysis had traced multiple connections hitting the AWS folders to the person responsible for intrusion. An FBI agent said Thompson was easily tied to the GitHub entry because it included her full name. The suspect’s profiles on Slack and Twitter were also reviewed. Thompson reportedly worked at Amazon’s AWS division from 2015 and 2016.
Chris Vickery, a vulnerability hunter with vast experience disclosing AWS flaws, told Newsweek there is a key detail missing before any conclusion can be drawn in the case.
“That detail is whether or not Thompson used privileged information or credentials in the original enumerating of Capital One buckets,” the veteran researcher said. “Until we know the answer to that, there are many possible ways the truth of the matter could play out.”
In one Slack chat from last month, the suspect posted a list of files she claimed to possess. “I believe that ‘erratic’ was claiming to have files extracted using the extraction command set forth in the April 21 file,” the agent wrote in the complaint. A screenshot of the Slack timeline showed one person in the conversation thread had replied: “Sketchy shit. Don’t go to jail plz.” The FBI said Thompson was arrested yesterday after indicating she intended to “distribute” the files.
As the dust settled, cybersecurity commentators hotly debated the technicalities of the intrusion. Some questioned the suspect’s motives. “What surprises me is the ‘attacker,’ either didn’t understand the gravity of their actions (& was very sloppy) or did & just really wanted to get caught,” tweeted Nicholas J. Percoco, the chief security officer at the Kraken Exchange.
Jake Williams, the founder of cybersecurity firm Rendition Infosec, wrote about the situation: “I can’t help but wonder if a researcher (or quasi-researcher) has been jailed.
“It’s entirely conceivable someone else also poked around at the data but failed to disclose it. But there’s the rub: if you’re poking around and don’t report, you open yourself up to liability.”
Cyber-experts told Newsweek the Capital One intrusion—as it is currently understood—is not just a hack and not just a breach. Based on existing evidence, it’s both.
“In this case the reportedly ex-AWS employee gaining unauthorized access to Capital One’s systems can be considered a hack, while the theft and public distribution of data constitutes a breach,” explained Matt Walmsley, EMEA director at AI-focused cyber firm Vectra. “The fact that this occurred in the cloud may have changed the hacker’s tactics and actions, but not the impact or consequences. There will be plenty of blame and culpability to go around.”
Cyber-expert consultant Robert Pritchard, who formerly worked with the U.K government on digital security issues, agreed the burden remained on Capital One’s doorstep.
“I think hacks can be breaches, this is both,” he told Newsweek.
“Obviously the blame for doing this lays with the hacker, whatever their motive, however Capital One absolutely has a corporate liability for the security gaps. [The company] clearly failed to properly configure its web application firewall to protect the credentials or to do any security monitoring, as they didn’t detect this incident it was reported to them by a third party.”
Boyd told Newsweek Capital One will not be the last company to suffer from a breach of this nature. “Misconfigured AWS buckets are often discovered when it’s too late,” he said.
“Although things could get complicated if contractors were used to secure the information, ultimate responsibility should lie with Capital One. It’s long past the point where organizations that are entrusted with personal data should no longer be running into issues like this.” He warned: “As things stand, you could probably set your alarm for another incident in six months—or less.”