NY Attorney General Investigates Capital One; Lawsuits LoomQuestions Remain Over How Hacker Breached Bank Files
In what’s likely the first of many investigations, the New York attorney general's office announced late Tuesday that it’s launching a Capital One probe following the disclosure that over 100 million U.S. residents had their personal data exposed in a breach.
Meanwhile, the National Law Journal reports that the first of several breach-related class action lawsuits against Capital One are already being filed on behalf of customers.
Too Many Questions
New York Attorney General Letitia James says that even though the FBI arrested the alleged hacker on Monday, too many questions remain about why Capital One's internal security failed its customers.
"Though Capital One's breach was internal, the fact still remains that safeguards were missing that allowed for the illegal access of consumers names, Social Security numbers, dates of birth, addresses, and other highly sensitive, personal information," James said. "My office will begin an immediate investigation into Capital One's breach and will work to ensure that New Yorkers who were victims of this breach are provided relief. We cannot allow hacks of this nature to become every day occurrences."
We will begin an immediate investigation into the @CapitalOne breach, and will work to ensure that New Yorkers who were victims of this breach are provided relief.— NY AG James (@NewYorkStateAG) July 30, 2019
These hacks are becoming far too commonplace and we cannot allow this to become every day occurrences.
A spokesperson for Capital One could not be immediately reached for comment.
The New York attorney general was one of many attorneys general who joined with the Federal Trade Commission last week to enter a settlement with Equifax stemming from the credit reporting agency's 2017 breach. Under the terms of the deal, Equifax could pay up to $700 million (see: Consumer Advocates Criticize Equifax Settlement Plan).
While state prosecutors and consumers prepare their legal actions against Capital One, the FBI investigation into how the alleged hacker bypassed the bank's security and accessed hundreds of files stored in a cloud-based database continues.
On Monday, the FBI arrested Page A. Thompson, 33, who lives near Seattle, on one charge of computer fraud and abuse, according to federal court documents. She remained in custody Wednesday with a bail hearings set for Thursday in federal court, officials say.
The court documents provided by the FBI allege that Thompson accessed about 700 Capital One files stored with a cloud service provider, which has been identified in media reports as Amazon Web Services. In its own statement, Capital One noted that the breach affected about 100 million individuals in the U.S. and approximately 6 million more customers in Canada (see: Woman Arrested in Massive Capital One Data Breach).
The exposed Capital One data includes information on consumers and small businesses who applied for credit cards and other services between 2005 through early 2019. This includes applicant names, addresses, birth dates, credit histories, balances and payment histories, according to the company.
Data in the Cloud
The FBI criminal complaint notes that Capital One was tipped off that someone was copying and removing customer data that it stored within a cloud service - AWS Simple Storage Service, also known as an S3 bucket.
Some information related to the intrusion was uploaded to the code-sharing site GitHub. That site, as well as postings on social media, led the FBI to arrest Page, according to court documents.
Page appears to have worked at Amazon Web Service between 2015 and 2016. The FBI documents note that as a system engineer, she "formerly worked at the cloud computing company from 2015-16." Also, security blogger Brian Krebs located a copy of Page's resume uploaded to GitLab that states she worked at AWS during this time and focused on the company's Simple Storage Service.
The resume posted on GitLab says Page “assisted in the build-out and deployment of new load balancing capacity for S3."
In addition, Krebs found other messages apparently posted by Page on a Slack channel that show her talking about finding other unsecured Amazon cloud instances and hacking into them to see what other data she could find. It's not clear from her posts or the FBI complaint what, if anything, Page allegedly planned to do with this data.
An Amazon spokesperson declined to comment about Page or the Capital One breach.
Bypassing Security at Capital One
Although Page worked at Amazon and had some knowledge of how S3 buckets worked, the breach at Capital One started with an attack in early March that focused on a misconfiguration within one of the bank's web application firewall servers that allowed access to an administrative account by the name of *****-WAF-ROLE, according to the FBI complaint. In its paperwork, FBI Agent Joel Martini, who is the lead investigator, blacked out some portions of email address and services that are part of the case.
Once Page allegedly gained access to the WAF-ROLE account, she could then access the company's data stored with an AWS S3 bucket, according to the FBI complaint. There were two commands to execute once the WAF-ROLE was compromised. The first is called the "List Buckets Command," which offered a list of folders and names stored within the AWS bucket. After that, Page allegedly used a "Sync Command," to copy and extract the data from the larger S3 bucket, according to the FBI.
"Capital One tested the commands in the April 21 File and confirmed that the commands did, in fact, functions to obtain Capital One's credentials, to list or enumerate folders or buckets of data, and to extract data from certain of those folders or buckets," according to the FBI complaint filed on Monday.
When Capital One first received the tip that some of its data was posted to GitHub, one of the files that the bank's security investigators found was time stamped April 21, 2019. The file also contained the IP address for the misconfigured firewall server that allowed the breach to happen, according to the FBI complaint.
The Capital One breach is different than other instances where organizations have misconfigured their Amazon S3 buckets and left personal data exposed to the internet, says Richard Gold, the head of security engineering at security firm Digital Shadows (see: UpGuard: Unsecured Amazon S3 Buckets Exposed 1 TB of Data).
"This breach was an actual intrusion, rather than data that was carelessly left lying around - beyond simple data exposures we see more frequently linked to [Amazon] EC2 instances," Gold tells Information Security Media Group. "The attacker broke into the EC2 instance and then carried out a series of steps in order to gain access to the data that was exfiltrated. Attacks like this underscore the need to know your cloud environment very well. The misconfiguration that the attacker took advantage of was probably preventable."
Trying to Cover Tracks
In addition to some of the details concerning the hack at Capital One, the FBI complaint describes how Page allegedly attempted to avoid detection as she moved around the network. The bank's internal logs show someone attempting to connect to the network using the anonymizing Tor browser, according to the FBI.
In addition, the Capital One logs show that someone attempted to contact the network using a VPN from IPredator, a company based in Sweden. The FBI agents were able to trace the VPN's IP address back to those registered and controlled by IPredator, according to the court papers.
By looking at the logs of when Page allegedly tried to access the network with the VPN and Tor browser, investigators were able to show that the breach started around March 12. Later, on March 22, the WAF-ROLE administration account was used to execute the List Buckets command, the FBI notes. This was a significant red flag, but security experts believe it's something that could easily be overlooked.
"WAF-ROLE account does not, in the ordinary course of business, invoke the List Buckets Command," according to the court papers.
When looking at some of the possible mistakes Capital One made during this incident, it appears that the bank allowed too many people to access this WAF-ROLE account, says Mike Weber, vice president of labs at cyber risk management firm Coalfire.
"From what we understand about the root cause, it comes down to allowing too much access to roles that don't need it," Weber explains. "It appears that the role that was used, *****-WAF-Role (per the affidavit), had excessive permissions and had the ability to execute commands that the role doesn't need for proper operation of the [web application firewall] component. Errors like this are fairly commonplace, but in most cases aren't easy to detect through traditional security testing means. In fact, alone, this issue would at most rate a 'moderate' risk ranking. But in context with other security concerns, this is the key to the success of this attack."