News and resources on cloud strategy, selection, build, migration and operation for banks and fintechs.
Capital One suspect indicted

Capital One suspect indicted

Seattle-based software engineer Paige Thompson faces up to 25 years in prison after being indicted on two counts related to the Capital One data breach that affected 106 million customers.

Thomson has been indicted on Federal charges for wire fraud and computer data theft related to alleged unauthorised intrusion into stored data of more than 30 companies, including Capital One.

According to the indictment, Thomson created scanning software that allowed her to identify customers of a cloud computing company - understood to be Amazon Web Services - who had misconfigured their firewalls, allowing outside commands to penetrate and access their servers.

She then used the access to steal data - in the case of Capital One, the personal information of 106 million credit card holders and applicants in the US and Canada.

Dubbed one of the largest data breaches to hit a financial services firm, the Capital One hack is expected to cost the company between $100 million and $150 million.

In addition to stealing data, Thompson is also accused of using stolen computer power to mine cryptocurrency.

Thompson was identified after sharing information about the Capital One theft with another user on GitHub. The user informed Capital One, which contacted the FBI.

Comments: (4)

A Finextra member
A Finextra member 29 August, 2019, 17:121 like 1 like

I find it ironic that this page is sponsored by Amazon Web Services, since it was their firewall that was breached.

Russell Bell
Russell Bell - Fastbase Ltd - Wellington 30 August, 2019, 01:561 like 1 like

I assume the web application firewalls were misconfigured.  WAF is a feature provided by AWS, but it's a tool used & controlled by the customer, AWS don't do the configuring themselves.

Mark Anderson
Mark Anderson - BioTechnologies - Sydney 30 August, 2019, 02:00Be the first to give this comment the thumbs up 0 likes

To @A Finextra member - as Russell Bell said. 

Russell Bell
Russell Bell - Fastbase Ltd - Wellington 30 August, 2019, 02:13Be the first to give this comment the thumbs up 0 likes

Though (to contradict myself) the WAF Managed Rules feature tends to muddy the waters of responsibility.  These are rules an AWS customer can deploy that are written and maintained by "security experts" who don't work for AWS directly but who seem to have some degree of endorsement from AWS.  I don't know if this is relevent to this particular incident.