106 million Capital One customers and applicants hit by data breach by former employee

106 million Capital One customers and applicants hit by data breach by former employee



we have to start the show talking about the latest big breach 100 million Capital One customers have had their data packed it included 140,000 Social Security numbers and 80,000 bank account numbers and it was all reportedly done by one Seattle based hacker who bragged about the hack on social media our own brian chung is here with more on the story hey Brian hey morning so what's the deal what should Capital One customers be doing this morning how concerned should they be yeah so I mean the dust is still kind of settling but Capital One had a statement yesterday saying that they would be spending about 100 to 150 million dollars on trying to make this up to customers offering them some credit monitoring services no details yet on exactly how customers can sign up for that C million dollars per person not not per person there are 106 million people who were it's possible we'll see that's the best to spend that also could also cover the legal costs for example other issues yeah regardless I mean a colossal amount in the amount of people a hundred million in the US six million in Canada this covers credit card accounts but also those who applied for credit cards means even if you don't have a capital o matic card you applied for one at some point there's a chance that your name address other types of information might be floating out there yeah not everyone had their social security information hacked but you know obviously still a pretty bad situation in Capital One says that they'll be notifying their customers when they do have the protocol in place for how they can check and make sure that they weren't affected by being a story behind the story is I think even more fascinating unfortunately we don't want to make light of it of course however the former AWS engineer who basically put it on blasting wow look at what I have done can you explain more of how that ended up happening and what are the repercussions for for her so the corporate appears to be a 33 year old Paige Thompson she was arrested in Seattle by the FBI yesterday she's currently in custody and will have to go through criminal proceedings but she was a former employee at Amazon AWS wasn't an employee at the time of her arrest she worked there between 2015 2016 it was about a year or so but obviously during the time that she was there she amassed of wealth of knowledge about AWS coding works was able to use that knowledge to basically do what it's kind of a she was fishing for a user ID and password if you will the equivalent they actually called an access key and a secret key that you use to actually access the data that's stored by a company at AWS she was able to force that from the files that were that were stored by Capital One at Amazon servers and then use that to download the information of 106 million accounts so there's a lot of questions here about what the due diligence was on behalf of Capital One to stop this from happening right maybe they could have done a better job of protecting their user ID and password maybe you know the password could have been different there's a lot of kind of nuances here but it seems like there's also some culpability at least on Amazon's part in the way that this hacker was able to basically use the vulnerabilities that she was aware of right because she getting worked at AWS to get into the company and see all this name and I think that's what's so unique about this hack is I don't recall seeing the cloud tied to any of these recent big hacks and I think that begs the question with the rise of the cloud what are these big cloud players doing to ensure that either Outsiders don't break in or in this case allegedly an insider absolutely that's a great point and before that's worth I mean the cloud has experienced a number of hacks before so actually in 2017 WWE world was a wrestling entertainment they actually had exposed about three million accounts because of an issue that they had in terms of the way that they configured their cloud storage at AWS and Verizon which is actually our parent company had also breached between six actually above six million accounts in 2017 the same year because of issues as well in both of those cases that pier that it was their configuration problems that actually left open consumer data for anyone to take it's unclear if anyone actually took it in this case a little different because it was a hacker that the FBI actually caught who forst's Capital One you know to basically like fish their user ID and password so I have to steal all this information so you know the the details of this are a little different than they were in the past we're watching the stock move lower maybe you could argue surprising it's only down 6% but it is moving lower live as we talk now let's bring in another guest to join us in this discussion about the Capital One hack that is Jeff Barta and he is the chief intelligence officer at shred Stone 71 joining us from Fort Myers Florida hey Jeff morning how are you good thanks for coming on well we're just talking about the hacker and that's sort of interesting part of this what's your take especially because you have the Amazon Web Services involvement because of the hacker and because this does involve cloud as my colleague just brought up what do you make of this hack a little bit different than some of the other giant hacks in the last three years that have made such headlines yeah it's a lot different there's a few things that stand out for me it's one the background of Paige Thompson in the in load-balancing and Amazon Web Services that gives an insider's viewpoint of how aw AWS works and all the different components that are part of this number one number two that the other thing that stands out to me is is the use of ipredator and tor in these these are standard LulzSec tools from back in 2011 tools that they used in pretty much all their hacks a little bit different there that this wasn't picked up because I predator is just as a standard or was a standard tool for use for a VPN access to exfiltrate data and it was always a trigger if you saw it I predator in your log files it was it was noticed that you were in trouble the fact that that was in the cloud whether it was a virtual private cloud or however they had this configured it's definitely concerning because a Capital One has devoted so many resources to storing their data in the cloud using content networks to actually load balance and distribute all their their their content to their users so it's it's definitely of concern here regardless of how they've configured it the wife of the Web Application Firewall access and gave us individual pretty much route to everything they had hf brian chung here so obviously a kind of an interesting situation here with amazon and also Capital One here and obviously we still need to hear about some more details beyond what we saw in the criminal complaint but based on what you've seen on was the culpability of look like on Capital One and Amazon given that maybe Capital One could have done a little bit more to secure the user ID and password if you will that ended up getting stolen by this person who had pretty good knowledge of AWS but then on the other hand obviously this was an employee who knew exactly what the vulnerabilities were so maybe there's due diligence for Amazon to have patched it up before this became an issue it's it's a good point it's hard to say exactly what the configuration was but the fact that you have a wet waffle role have a account that was in my view doesn't seem like it was monitored this is an account that is a trusted account and trusted accounts are the ones that should be monitored for activity and when someone starts to get into that account it should trigger of some notices in their log files and their their sims that something unusual is going on but it obviously it didn't trigger it because this person was was caught because of their own failure of operational security so there could be negligence there on capital one side for not monitoring internally trusted accounts which is a standard mistake most of what they do is intrusion detection intrusion prevention to look at attacks from the outside and they're not looking at the possible insider threat so once the account was accessed well they pretty much seemed to have access to anything they needed to do what they wanted so Jeff how do you prevent either current employees of a company from engaging in this kind of activity in these kinds of breaches or you know former employees it seems like this is a really hard code to crack for companies across the board well I I tend to disagree with that because I think a lot of it is rooted in basic configuration and change management activities one root account should never be accessed unless it's through a change management procedure something that's pre-approved and validated and test environment and then when they're actually executing it it's turned out and then turned off after the the actual change is executed so I think some of that is rooted in this on the other hand at firewalls are always changing and shifting but when an account like that is accessed it should trigger something automatically it should be monitored it should be tracked it just as a standard protocol so I don't think it's that difficult on the other hand there's a lot of hands in the cookie jar sometimes there's so many people looking at things changing things things are fluid and lots of times information security is put on the back burner as applications or changing regularly in a an environments made for agile development content we pushing out new changes while security sometimes takes a backseat yeah one of the people who did get her hand stuck in the cookie jar is Paige Thompson when you think about the hacker and the reasons that she wanted to get caught you rightfully point out that it's not necessarily monetization efforts at face value why do you think this anger this vitriol really manifested this way and how do you prevent a lot of these other kinds of disgruntled employees from doing something similar it's hard to say I mean it's it's been a couple of years since Paige actually worked at Amazon this is who knows what's underneath the covers it could be a combination of a lot of different psychological factors so it's hard to say on the other hand when someone leaves your environment and they have had access of this type to your environment anytime you do an automatic changeover of passwords and you shift and adjust your controls based on those people coming and going that should be a standard rule set that you put in place I think that can be done on the other hand she didn't use a password she found some sort of a hole in the environment that maybe she had learned through understanding Amazon's Cloud Front tool sets there Aurora tool sets their content distribution network all their different load balancing activities that she had been participating in to set this up assuming as well that maybe she had been involved in setting up the Capital One environment so it's hard to know as things move so fast what little holes are there and who knows maybe a back door was installed beforehand we just that we don't know it's unlikely three years later but it's hard to say at this point a lot of speculation that a changeover when someone leaves that has access there should be an automatic changeover and that's sometimes hard because people come and go frequently and there's a lot of contractors involved as well all right we'll have to wait and see what happens next and what Capital One does especially with pressure coming from customers that they

9 thoughts on “106 million Capital One customers and applicants hit by data breach by former employee

  1. Paige Adele Thompson: Capital One hacker, She had to have had inside help!
    No Security is secure if insiders can be paid off to assist with insider knowledge.
    People are selling your infomation if someone will pay the price for knowledge.
    So how can we ever really STOP people from sharing info illegally? YOU CANT..🤦🏻‍♀️

  2. It's a joke to say we will spend $100 million towards security, when 100 million plus people have data stolen so they are saying We will spend about one dollar / $1.00 on your personal security. What is that…..? Seriously. And Capital one is taken over in October for Walmart, instead of synchronicity Bank. Hmmm… I know this… If my data was hacked…. Capital one needs to break out their checkbook. If you see no data breaches if your data was stolen3, that don't mean in a CPL years it won't be used. Think about that. This is a huge deal.

  3. $100-$150 million in services to 106 million people is not 1 million dollars per person…. more like $1 per person. That ought to put it into perspective how much they care.

  4. Data breaches are as fake as a school shooting. Strictly for the crisis actor channels to talk about. The IT/33/We/satan possessed ticks.

    They simply lie and sell your data to anyone. There are no controls. Government causes all problems and can’t be trusted to do anything but steal and lie. In god we trust means they worship we/33/Satan. FYI.

Leave a Reply

Your email address will not be published. Required fields are marked *