What Happened? Capital One Breach

Tipster’s Email Begins Saga That Ultimately Brings $80M Fine

By Najmeh Tima

“What Happened?” is an occasional feature by Digital Privacy News that looks back on some of the tech industry’s biggest data breaches last year.

Capital One Bank last month agreed to pay an $80 million fine over a data breach last year that affected more than 100 million credit-card applications — and about 106 million people worldwide.

The Aug. 6 announcement by the U.S. Comptroller of the Currency nearly closes a grueling saga that began with a tipster’s email on July 17, 2019, that a hacker had stolen troves of customer data through an “improperly configured firewall” — eventually costing Capital One as much as $150 million.

The alleged hacker, Paige Adele Thompson, 33, of Seattle, has been charged with sharing files with online platforms that she had claimed to possess.

One file she allegedly shared was associated with Capital One.

“All of these attacks relied on the attacker gaining access to a third-party provider … with trusted access.”

Allan Liska, Boston intelligence analyst.

Thompson has been charged with computer fraud, massive data theft and cyber intrusion — and she faces up to five years in prison and a $250,000 fine if convicted in an Oct. 19 trial in U.S. District Court in Seattle.

Capital One did not return repeated requests for comment from Digital Privacy News.

Reasons Behind Penalty

In announcing the $80 million fine, the Comptroller’s Office said the penalty was based on Capital One’s “failure to establish effective risk-assessment processes” before migrating part of its database to a cloud-storage system and for not correcting “the deficiencies in a timely manner.”

In its initial investigation, Capital One said in a statement last year that its system had been hacked as early as March 2019 — and that the company had “immediately” fixed the issue on July 19, two days after the tipster’s email.

Thompson, who worked for Amazon, a third-party contractor to Capital One, had been gone from the company for nearly two years before the hack, though court papers said she accessed the necessary credentials through a firewall misconfiguration on cloud servers.

“Removing access from an employee who was no longer employed by the contractor, so better Identity and Access Management (IAM) was the security measure the company should have taken on the front end,” Allan Liska, an intelligence analyst, told Digital Privacy News.

He works for Recorded Future, a Boston research company involved with corporate security programs.

Liska noted an old adage in security circles.

“If you are a defender,” he said, “you need to be right all the time. If you are an attacker, you only need to be right once.”

Third-Party Contractor Issues

Capital One’s vulnerability was backed to the third-party contractor, Liska said.

“The biggest thing is trust,” he observed. “All of these attacks relied on the attacker gaining access to a third-party provider (and in the case of Capital One a contractor) with trusted access, Liska said

“When that trust is breached, there weren’t any other protections — such as two-factor authentication to protect the company,” he said. 

Large organizations, Liska told Digital Privacy News, have unwieldy network infrastructures — often with dozens, if not hundreds, of third-party connections.

“Each one of those third-party vendors and exposed network connections creates a point of entry for an attacker,” he said.

But bigger cyberattacks are coming, regardless of the company, he warned.

“Every time we think there can’t be a bigger target hit by one of these attacks, an even bigger one comes along,” he told Digital Privacy News.

Alleged Hacker’s Status

“I cannot comment on Thompson’s case at this time,” Mohammad Hamoudi, a federal public defender who had been representing her, told Digital Privacy News.

She remains on “pretrial release with multiple restrictions on her activities,” said Emily Langlie, a spokesperson for the U.S. Attorney’s Office in Western Washington.

According to her online resume on Scribd, Thompson worked at Amazon, the cloud-computing provider for Capital One, and other large companies.

She worked at Amazon as recently as 2016 and allegedly breached the customer information from 2016 through early last year. 

Thompson allegedly boasted about her Capital One intrusion on various social media on June 18, 2019, according to court documents. 

“I am deeply sorry for what has happened.”

Richard D. Fairbank, Capital One chairman and CEO, in a September 2019 statement.

The FBI executed a search warrant on Thompson’s home that July 26. In her bedroom, authorities found digital devices with files and items that referenced Capital One under the nickname “erratic,” complaint papers said.

After her arrest, Thompson admitted in a statement to the data breach and theft from Capital One and several other entities, court papers indicated.

‘Configuration Vulnerability’

Capital One said in a statement after its investigation that Thompson accessed customer data through “configuration vulnerability.”

The first intrusion occurred March 22-23 of last year — and data from the previous three years had been transacted within 23 days, the company said.

Capital One posted an international alert on its website that Sept. 23 — and the company said it “immediately fixed the issue” and began working with authorities.

The hacked data later was recovered and “there is no evidence the data was used for fraud or shared by this individual,” the company said in the alert.

“No credit-card account numbers or log-in credentials were compromised.”

Thompson allegedly gained access to the information of 100 million Americans and 6 million Canadians, including 140,000 Social Security numbers of credit-card customers and 80,000 linked bank-account numbers of secured cardholders.

The specific data lifted included card applications, names, addresses, ZIP codes, cellphone numbers, email addresses, dates of birth and income.

“When a major corporation loses data on a hundred million Americans because of configuration error, attention naturally focuses on the corporation’s cybersecurity practices.”

Sen. Ron Wyden, D-Ore., in an August 2019 letter to Amazon CEO Jeff Bezos.

“While I am grateful that the perpetrator has been caught,” Capital One Bank Chairman and CEO Richard D. Fairbank said in a Sept. 23, 2019, statement on the company’s website, “I am deeply sorry for what has happened.

“I sincerely apologize for the understandable worry this incident must be causing those affected — and I am committed to making it right,” he said.

The Capital One breach also made U.S. lawmakers more concerned about the vulnerabilities of underlying cloud-computing systems.

“When a major corporation loses data on a hundred million Americans because of configuration error, attention naturally focuses on the corporation’s cybersecurity practices,” Sen. Ron Wyden, D-Ore., told Amazon CEO Jeff Bezos in an Aug. 5, 2019, letter after the breach.

“However, if several organizations all make similar configuration errors, it is time to ask whether the underlying technology needs to be made safer, and whether the company that makes it shares responsibility for the breaches.” 

Najmeh Tima is a writer based in Iran.

Sources (external links):