'Amateur' Capital One Hack Stuns Security Community
Sumaira FH Published July 31, 2019 | 12:01 AM
The massive data breach at Capital One appeared to be an unsophisticated attack from a single hacker, raising questions about the security of the financial system and insider threats to cloud computing
The motive behind the breach and extent of its impact remained unclear Tuesday, a day after FBI agents arrested 33-year-old former web engineer Paige Thompson and charged her with stealing data from more than 100 million credit card applications from the 10th largest US bank.
"The biggest surprise is the amateur nature of the attack," said John Dickson of the security consultancy Denim Group.
Dickson said it was "absolutely earth-shattering" that an individual attacker could gain access to that much data at one of the largest US financial institutions.
"This could have a major impact on confidence in the banking system." The Capital One hack appears to be different from major breaches at the credit monitoring firm Equifax, internet giant Yahoo and other major incidents which have been attributed to sophisticated nation-state entities.
US authorities said Thompson, a former Amazon Web Services employee, was arrested on the basis of a tip after she boasted of accessing the data on the software sharing site GitHub as well as on Twitter and Slack.
Darren Hayes, a Pace University computer science professor specializing in cybersecurity, said the ability to quickly arrest and prosecute an attacker in this kind of case is unusual.
"Most of these cases are perpetrated by hackers in other countries," he said.
- 'Good people gone bad' - Hayes said the incident highlights the risk of "insider" attacks when trusted employees turn to theft.
"It is challenging to catch good people gone bad, so a lot of banks look for that now" with artificial intelligence tools to detect anomalies in employee behavior, Hayes said.
Capital One said the incident affected some 100 million US customers and six million Canada, with as many as 140,000 US and one million Canadian social security numbers compromised.
Only some of the data was encrypted, but Capital One said it had no indication any of the data was transferred or sold where it could be damaging for customers.
Still, Hayes said he sees a risk of data loss that could end up compromising bank customers.
"My sense is that we are going to see a lot of class-action lawsuits and the company could be liable for a lot of damages," he said.
News of the Capital One breach comes after US credit monitoring agency Equifax last week agreed to pay up to $700 million to settle a similar incident that hit the company in 2017, affecting nearly 150 million customers.
New York State attorney general Letitia James said her office was opening up its own investigation.
"My office will begin an immediate investigation into Capital One's breach, and will work to ensure that New Yorkers who were victims of this breach are provided relief," James said.
- 'Easier target' - Dylan Gilbert of the consumer group Public Knowledge said the news raises questions about security procedures by the large bank.
"Why didn't Capital One fully encrypt this data, and why didn't the company place this vast trove of personal information behind a properly configured firewall?" Gilbert said.
"Security is challenging and mistakes happen, but unfortunately for consumers, companies have no incentive to engage in cybersecurity best practices when punishment comes in the form of financial penalties that can be factored in as a mere cost of doing business." Joseph Hall, chief technologist at the Center for Democracy & Technology, said the incident highlights the risk of depending too much on cloud computing, which stores vast amounts of data in servers.
"The fact that there is so much more data in the cloud makes it an easier target," Hall said.
"If cloud services are misconfigured it's relatively easy for someone walking by to take advantage of that." Thompson's online resume indicates she left Amazon in 2016, and there was no indication the AWS cloud itself was to blame for the breach.
"AWS was not compromised in any way and functioned as designed," Amazon said in a statement.
"The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud."
Related Topics
Recent Stories
Rock-solid Ruud racks up season-leading win in Barcelona
At UN, Iran says it will make Israel 'regret' reprisals
G7 hears calls for 'critical' Ukraine aid
EU seeks to leverage might to confront China, US challenge
5 Customs officials martyred as their vehicle ambushed by terrorists in D I Khan
Pak-New Zealand match called off due to rain
NHA restores traffic on roads affected by recent rains in Balochistan
China to fully support Pakistan's efforts against terrorism: Ambassador Jiang
U.S. envoy calls on Foreign Minister Ishaq Dar
Poland arrests man over suspected plan to kill Zelensky
EU wants to ease youth movement to and from UK
Police foils attempt of supply mainpuri raw material
More Stories From World
-
Israel assault has turned Gaza into 'humanitarian hellscape': UN
12 minutes ago -
Husband of ex-Scottish leader charged over alleged embezzlement: police
32 minutes ago -
Ecuador hit by power cuts of up to 13 hours amid drought
51 minutes ago -
Hugs or bullets? How Mexico presidential rivals aim to curb violence
52 minutes ago -
Kenya military chopper crash kills defence chief, senior officers
2 hours ago -
Biden hails 'incredible' Kennedy family backing against RFK Jr.
2 hours ago
-
Maldives court frees jailed ex-president ahead of vote
2 hours ago -
Probe into Portugal ex-PM Costa appears to collapse
2 hours ago -
Jury selection stalls in Trump criminal trial
2 hours ago -
At UN, Iran says it will make Israel 'regret' reprisals
2 hours ago -
G7 hears calls for 'critical' Ukraine aid
2 hours ago -
EU seeks to leverage might to confront China, US challenge
2 hours ago