How the Accused Capital One Hacker Stole Reams of Data from the Cloud

The woman who allegedly pulled off one of the largest-ever bank-data heists appeared to have exploited a vulnerability in the cloud that security experts have warned about for years.

Source: WSJ | Published on August 5, 2019

Cyberattacks pose risk to creditworthiness

Paige A. Thompson, a former employee at Amazon.com Inc.’s cloud-computing unit who was arrested July 29, is accused of carrying out the massive theft of 106 million Capital One Financial Corp. records.

Capital One has said “a specific configuration vulnerability” led to the data loss.

Ms. Thompson was allegedly able to find an opening in Capital One’s systems and exploit a weakness in some misconfigured networks, according to a Wall Street Journal analysis of hundreds of Ms. Thompson’s online messages and interviews with people familiar with the investigation. Security professionals for years have warned about that gap, which the messages and interviews suggest she used to trick a system in the cloud to uncover the sensitive credentials she needed to access the vast number of customer records.

Ms. Thompson, in online messages in accounts that prosecutors have said were hers, claimed to have also applied those techniques to access a trove of online data from other organizations. The messages were posted in online forums.

Ms. Thompson’s lawyer didn’t respond to requests for comment. She remains in detention and is scheduled for a bail hearing on Aug. 15.

At the heart of the digital break-in was Ms. Thompson’s apparent ability to tap into a central piece of Amazon’s cloud technology known as its metadata service. It holds the credentials and other data needed to manage servers in the cloud. The credentials effectively are the computer world’s equivalent to the keys to a bank vault.

In the first step of her alleged hack that began in March, according to her online postings, Ms. Thompson ran a scan of the internet to find vulnerable computers that could give her access to a company’s internal networks. Effectively, she knocked on many front doors to hunt for ones that were unlocked.

In the case of Capital One, she found that a computer managing communications between the company’s cloud and the public internet was misconfigured—effectively it had weak security settings—according to people familiar with the investigation. The door was open.

Through that opening, she was successfully able to request the credentials needed to find and read Capital One’s cloud-stored data from a system on the Amazon cloud, called the metadata service, where that information is stored, the people said.

“Dude so many people are doing it wrong,” Ms. Thompson said in a June 27 online message, referring to how some companies were incorrectly configuring their servers.

Once she found the Capital One data, she was able to download it, the people familiar with the investigation said. All, apparently, without triggering any alerts.

Amazon said in a statement that none of its services—including the metadata service—were the underlying cause of the break-in and that it offers monitoring tools designed to detect this type of incident.

It is unclear why none of these alerting tools appear to have triggered alarm bells at Capital One.

A Federal Bureau of Investigation affidavit said a Capital One error enabled the breach. Capital One said it now has fixed the configuration problem.

Some security experts say that Amazon should do more to alert its customers about these configuration errors. Others say, given that cloud security is a shared responsibility, corporate customers have to do their part.

Amazon has said it has several tools to help mitigate configuration slip-ups.

Prosecutors have said that Ms. Thompson began her hacking on March 12, but Capital One didn’t learn of it until it was tipped off by an outside researcher 127 days later.

Security professionals have known about one of these misconfiguration problems—the ability to pilfer credentials from the metadata service—since at least 2014, said Scott Piper, who advises companies on their Amazon cloud security. Amazon has considered it the customer’s responsibility to eradicate them, he said, and some customers have failed to do so.

Brennon Thomas, a security researcher, conducted an internet scan in February and found more than 800 Amazon accounts that allowed similar access to the metadata service. Amazon’s cloud-computing service boasts more than one million users.

Mr. Thomas said the problem of misconfigured servers enabling outsiders to access sensitive metadata isn’t limited to Amazon Web Services, or AWS. His test also found problems with systems running on Microsoft Corp. ’s cloud. Microsoft didn’t respond to requests for comment.

That Capital One was a victim has surprised some researchers. The bank performed extensive due diligence before deciding, in 2015, to embrace the cloud, company officials have said. “Capital One is well-known among people that do cloud security for having one of the strongest teams out there,” Mr. Piper said.

The Capital One data breach isn’t the first time data stored in the cloud has been stolen. But the fact that the fifth-largest U.S. credit-card issuer has become a victim is reviving concerns about cloud computing. Capital One was an early adopter of cloud computing and is featured as a case study on the AWS website.

The Federal Reserve, independent of the hack, has already been scrutinizing the use of the cloud to store sensitive financial records, the Journal has reported.

Ms. Thompson, in a posting from one of the accounts that prosecutors said was hers, implied that she used such techniques to target other companies’ cloud-computing accounts, including Italian bank UniCredit SpA and Ford Motor Co. Both companies have said they are looking into it. The FBI has opened an investigation into the other targets that it suspects Ms. Thompson might have hit.

Ms. Thompson’s alleged actions may have gone unnoticed for far longer if she hadn’t posted details of her hack online.