Breach Notification , Cloud Security , Cybercrime

Woman Arrested in Massive Capital One Data Breach

Authorities Allege Paige A. Thompson Referenced Stolen Files on GitHub
Woman Arrested in Massive Capital One Data Breach
A Capital One branch in Queens, New York. (Photo: Tdorante10 via Wikimedia Commons/CC)

A Seattle-area woman has been charged with accessing tens of millions of Capital One credit card applications after allegedly taking advantage of a misconfigured firewall.

See Also: 2018 Banking Threat Landscape: An Inside Look at How Cybercriminals Target Financial Services

Page A. Thompson, 33, is charged with one count of computer fraud and abuse, according to a criminal complaint filed in federal court in Seattle. She was arrested at a residence on Monday.

Thompson is accused of accessing Capital One files that were stored with a cloud service provider, which appears to be Amazon, between March 12 and July 17. Investigators allege that she posted information related to the intrusion on the code-sharing site GitHub and on social media, which apparently resulted in her quick arrest.

According to a statement released by Capital One, acknowledging the breach, the incident affected approximately 100 million individuals in the United States and approximately 6 million in Canada.

Federal investigators believe this is Paige A. Thompson’s Twitter account.

Capital One’s massive breach comes just a week after credit bureau Equifax has reached a proposed settlement with the Federal Trade Commission over its 2017 breach. Under the terms, Equifax could pay up to $700 million, although some are criticizing the proposed deal (see Consumer Advocates Criticize Equifax Settlement Plan).

The pressure is likely to be full force on Capital One in light of the continuing concerns over how corporations protect consumer data. The Washington Post reports that Capital One is anticipating a near-term cost as a result of the breach between $100 to $150 million.

Richard D. Fairbank, Capital One's Chairman and CEO, says in a statement that "while I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened."

"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right," he says.

Unencrypted Data

Some of the Capital One’s data was encrypted or tokenized, but some wasn’t.

According to Capital One, "no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised." The exposed data, drawn from information on consumers and small businesses as of the time they applied for credit card products from 2005 through early 2019, includes applicant names, addresses, birth dates, credit histories, balances and payment histories. Also, fragments of transaction data from a total of 23 days between 2016 and 2018 were exposed.

The criminal complaint against Thompson.

Capital One says 120,000 Social Security numbers, 77,000 bank account numbers and for residents of Canada, one million Social Insurance Numbers are affected.

The institution says in its statement that “it immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement.”

Capital One says that it doesn’t believe the data has been used to commit fraud or been distributed. However, the criminal complaint indicates that Thompson may have signaled she intended to do so before she was arrested.

Misconfigured Firewall

According to the criminal complaint, Capital One received an email on its bug reporting address that someone had “leaked S3 data.” S3 refers to Amazon’s Simple Storage Service.

Capital One received this email from tipping it off to the breach, according to the criminal complaint.

The GitHub site contained Thompson’s full name, the complaint says. Capital One examined the material on the GitHub page, which contained three commands and a list of 700 folders.

Capital One determined that “a firewall misconfiguration permitted commands to reach and be executed by that server, which enabled access to folders or buckets of data in Capital One’s storage space at the cloud computing company,” the complaint says.

One of the commands allowed Thompson to obtain security credentials for an account, *****-WAF-ROLE, which enabled access to other folders. The other two commands listed the available buckets, with the other one allowed to copy or sync the data. Most of the data that was copied was related to credit card applications.

Chris Pierson, CEO of the cybersecurity company BlackCloak, says banks are generally good at scanning for software vulnerabilities, misconfigurations and access management control issues.

“However, it only takes one small error in configuration or one overlooked control to allow improper access to a data store, and that is what it looks like happened in March of this year,” Pierson says.

Capital One’s logs showed connections to the files from IP addresses belonging to IPredator, a Sweden-based VPN service, as well as TOR exit nodes.

The GitHub page led to Thompson’s resume, which was posted on gitlab.com, the complaint says. The resume indicated that Thompson is a systems engineer “and formerly worked at the cloud computing company from 2015-16,” it says.

That would indicate that Thompson formerly worked for Amazon, although searches for her resume weren’t immediately successful.

Slack Opsec?

Investigators also uncovered a Meetup group where Thompson had allegedly created a Slack channel. A review of the Slack channel posted showed a list of files posted by someone going by the nickname “erratic,” which is believed to be Thompson’s Twitter handle as well.

Two of the files in the Slack channel posting referenced *****-WAF-ROLE. Later, Thompson allegedly referred to that account again and that it was associated with Capital One, the complaint says.

Capital One also supplied investigators with a screenshot of a conversation that Thompson allegedly had via direct message on Twitter with its tipster on June 18. The message indicated that Thompson may have wanted to distribute the stolen data and was aware of the trouble coming.

Capital One sent investigators this screenshot of Thompson’s alleged communications with the tipster.

During the search of Thompson’s bedroom, the complaint says files and items that referenced Capital One were found along with those referencing the cloud computing company.

Bloomberg reports that Thompson broke down and laid her head on the defense table during a hearing on Monday. If convicted, she could face five years in prison and a $250,000 fine, it reported.

Capital One Financial Corporation, headquartered in Virginia, is a financial holding company whose subsidiaries, which include Capital One, N.A., and Capital One Bank (USA), N.A., had $254.5 billion in deposits and $373.6 billion in total assets as of June 30, 2019.


About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.