/cloud

News and resources on cloud strategy, selection, build, migration and operation for banks and fintechs.

Capital One suspect indicted

Seattle-based software engineer Paige Thompson faces up to 25 years in prison after being indicted on two counts related to the Capital One data breach that affected 106 million customers.

  11 4 comments

Capital One suspect indicted

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Thomson has been indicted on Federal charges for wire fraud and computer data theft related to alleged unauthorised intrusion into stored data of more than 30 companies, including Capital One.

According to the indictment, Thomson created scanning software that allowed her to identify customers of a cloud computing company - understood to be Amazon Web Services - who had misconfigured their firewalls, allowing outside commands to penetrate and access their servers.

She then used the access to steal data - in the case of Capital One, the personal information of 106 million credit card holders and applicants in the US and Canada.

Dubbed one of the largest data breaches to hit a financial services firm, the Capital One hack is expected to cost the company between $100 million and $150 million.

In addition to stealing data, Thompson is also accused of using stolen computer power to mine cryptocurrency.

Thompson was identified after sharing information about the Capital One theft with another user on GitHub. The user informed Capital One, which contacted the FBI.

Sponsored New Event Report – Natural Capital Finance

Comments: (4)

A Finextra member 

I find it ironic that this page is sponsored by Amazon Web Services, since it was their firewall that was breached.

Russell Bell

Russell Bell Director at Fastbase Ltd

I assume the web application firewalls were misconfigured.  WAF is a feature provided by AWS, but it's a tool used & controlled by the customer, AWS don't do the configuring themselves.

Mark Anderson

Mark Anderson General Manager at BioTechnologies

To @A Finextra member - as Russell Bell said. 

Russell Bell

Russell Bell Director at Fastbase Ltd

Though (to contradict myself) the WAF Managed Rules feature tends to muddy the waters of responsibility.  These are rules an AWS customer can deploy that are written and maintained by "security experts" who don't work for AWS directly but who seem to have some degree of endorsement from AWS.  I don't know if this is relevent to this particular incident.

[On-Demand Webinar] Unifying Card Programmes: The cost-reduction imperativeFinextra Promoted[On-Demand Webinar] Unifying Card Programmes: The cost-reduction imperative