This blog post was updated on August 1, 2019 to include additional details uncovered as a result of the ongoing investigation associated with the Capital One data breach.
Capital One’s data breach may be one for the record books, impacting as many as 106 million U.S. and Canadian credit applicants dating back to as early as 2005. While it’s natural to want to draw parallels to the 2017 Equifax breach, there are a couple of details in this story that make it remarkably different – including Capital One’s quick response to a tip submitted through its Responsible Disclosure process.
According to multiple reports, 33-year-old Paige A. Thompson allegedly gained access to approximately 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 linked bank account numbers. Other affected personal information included phone numbers and credit scores. Thompson, who is facing five years in prison and a fine of up to $250,000, was previously an employee of Amazon Web Services, which hosted the Capital One database that was breached.
“The attacker was an ex-AWS employee, which did not give her special privileges, but does go to explain expertise of the AWS platform,” said Veracode Co-Founder and CTO Chris Wysopal. “The attacker found a configuration error in a Web Application Firewall (WAF) that allowed privileged commands to be executed with the credentials of Capital One. These commands had privileges that allowed her to access the storage where the Capital One PII was stored.”
Paul Farrington, Veracode EMEA CTO, noted that WAF log files are likely to have been stored in the AWS S3 storage system, which may be how the attacker was able to access the customer data that contain PII. What’s yet to be understood is who the WAF vendor is – if this breach is indeed the result of a configuration error, this vulnerability may be undocumented and many other organizations could be at risk.
It's looking likely that CapOne was only one of many organizations whose data was obtained by the defendant in this case. CapOne may be the only one that is public so far though.
— briankrebs (@briankrebs) July 30, 2019
UPDATE: TechCrunch's Zack Whittaker has reported that, "Israeli security firm CyberInt said Vodafone, Ford, Michigan State University and the Ohio Department of Transportation may have also fallen victim to the same data breach," and that the Justice Department said Thompson may face additional charges, which suggests other companies may have been involved.
What Does Coordinated Disclosure Have To Do With It?
Many news outlets are drawing parallels to the 2017 Equifax breach, saying that this may not have happened if adequate measures had been taken legislatively to ensure significant consequence following breaches of this magnitude. The facts of the Capital One breach are certainly alarming, particularly when you consider that this is yet another example of consumers experiencing a significant privacy breach with far-reaching consequences. Certainly, the $700 million settlement Equifax is paying sets a precedent in penalizing companies that have not adequately protected their customers’ personal information – and failed to act quickly when a breach is brought to its attention.
That’s just one of the ways in which the Capital One breach is different. If the company was indeed breached through a WAF provided to them by a third-party vendor, it could be said that Capital One was doing its diligence to ensure the security of its customer data. We could get into how complicated supply chain security can be (think back to the AMCA data breach in June) and where the fault really lies in this case, but that seems fruitless given we don’t yet have all the facts.
It’s what we do know that deserves to be highlighted, both to differentiate this breach from Equifax and to highlight a critical best practice for all organizations with software underpinning the success of their business: Capital One has a working responsible disclosure process.
Thompson was not shy or discreet about her hack into the financial institution, posting the data she exfiltrated back in March to her GitHub account, which included her full name and resume. According to Wired, she also talked openly about it on Slack. The court documents indicate that on July 17, an anonymous tipster informed Capital One about the flaw and breach by emailing the responsible disclosure address with a warning about the data as well as the GitHub link.
In a statement made on July 29, Capital One said it, “immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The FBI has arrested the person responsible and that person is in custody. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate."
Meaning that once informed through its disclosure process, Capital One alerted the FBI, fixed the vulnerability, and the suspect was arrested – all within 12 days. Although consumers are still waiting to see if their data has been impacted, this response and resolution is much faster than others we have historically seen.
When a vulnerability in Zoom was made public earlier this month, it was done so by a security researcher who had disclosed the vulnerability to the video conferencing company 90 days before he published his blog post. At that time, they still hadn’t fixed it, and it became major news in the hours and days following the public disclosure.
The Capital One data breach could have been far worse had it not been for the openness of the hacker and the financial institution’s responsible disclosure process. Consumers may still be waiting to find out whether or not their information was breached, but it is clear that Capital One either learned from the massive breaches that came before or has a security leader hip to the value of working with outside security researchers.
The debates around responsible disclosure – now more commonly referred to as coordinated disclosure – have been going on for many, many years. We know that both businesses and the security community see the value, and that there is frustration from security researchers when they are either ignored or feel the issue isn’t being remedied fast enough. While it is important to consider how best to handle these breaches when it comes to legislative involvement, it is just as important to strengthen the relationship between enterprise and security researchers to ensure smooth reporting and resolution of flaws.
Vulnerabilities and flaws aren’t going anywhere – but we can all work together better to make sure they’re harder to exploit, and that resolution is swift after there has been a breach.
You can keep up with AppSec news like this, plus get trends and best practices, by subscribing to our content.