Update on Capital One data breach

by | Sep 10, 2019 | Security, Technology

audit-wallet

Update on the Capital One breach

A criminal complaint was filed in the Western District of Washington on July 29, 2019 against one Paige A. Thompson accusing her of committing the Capital One breach.  A link to the complaint is available here:

https://www.justice.gov/usao-wdwa/press-release/file/1188626/download

The timeline described in the complaint, is as follows:

  1. The breach apparently began March 12, 2019 with an attempt to access Capital One data from an unauthorized IP address. Had Capital One engaged in proper internal monitoring of its system activity, this attempt would have been logged and detected.
  2. Ten days later, a command was executed from a portion of the Capital One IT infrastructure where such commands do not ordinarily originate. Again, this activity was recorded but not examined, and there was no follow-up.
  3. One the same date, March 22, 2019, a series of commands originating from Paige Thompson’s unauthorized IP address caused files from Capital One to be copied. These files contain sensitive information belonging to Capital One’s customers.
  4. Copying of files continued at least until April 21, 2019, all without Capital One’s apparent knowledge. These files were uploaded to GitHub on the same day, along with commands that allowed the data in them to be downloaded and copied.
  5. On June 18, Paige Thompson posted on Twitter that she had Capital One documents that she intended to publish.
  6. On June 26 and 27, Paige Thompson posted online the names of files she had stolen from Capital One containing sensitive customer data as well as a description of how she had accomplished the theft.
  7. On July 17, 2016 an individual “unknown to Capital One” sent an email informing them that some of their files were on GitHub. This appears to be the first time that anyone at Capital One became aware of the suspicious activity on their servers.
  8. Capital One examined the GitHub file and told law enforcement that a “firewall misconfiguration permitted commands to reach and be executed by [Paige Thompson’s] server, which enabled access to folders or buckets of data in Capital One’s storage space….”
  9. Capital One did not release a press release announcing the breach until July 29, 2019.

 

Could have been prevented

assess-makes-watching-actionable

All of this could have been prevented had Capital One used competent internal monitoring along with an independent audit of their IT infrastructure.  Although Capital One calls the problem a “firewall misconfiguration,” it is apparent that the problems run much deeper.

Capital One has now been sued by victims of the breach.

In an earlier post, we recommended four steps that every business should take to minimize the risk of a breach and mitigate the damage in the event one occurs.  The bad guys are smart and they are constantly adapting.  Cybercrime is a fact of life, and not all breaches are preventable.  But it is apparent that Capital One failed to take basic steps to keep its data safe, and made itself an easy target.