Securing data in the cloud is an often overlooked element of cyber security and the Capital One data breach is a perfect example of how even major corporations can fall victim to attacks on cloud servers. Paige Thompson, a former Amazon Web Services (AWS) systems engineer, took advantage of a misconfigured firewall to pilfer the personal data of more than 100 million Capital One customers’ accounts and credit card applications. Thompson was able to gain access to the names, addresses, credit information, bank account numbers, Social Security numbers, and Canadian Social Insurance numbers of customers from one of the biggest banks in the world.
The Cloud Breach
Capital One was storing its client data on Amazon’s AWS cloud servers and did not realize the servers had been breached for months until a white hat hacker tipped them off that someone had posted code to GitHub that allowed access to the server as well as a list of 700 folders on the server that contained confidential client data.
The misconfigured firewall allowed Thompson to reach and execute commands on the server. She concealed her access to the server by using a VPN and the TOR network, which relays communications through several intermediate nodes so that it is impossible to tell where the communication originated unless a person has access to an exit node. Accessing the TOR network or using a VPN is as simple as downloading a program on your computer.
Thompson was then able to access the files on the server using only three commands. According to the Department of Justice’s complaint, the first command, by itself, obtained security credentials that allowed access. The second command then would list the names of folders and the third command extracted the data from those folders.
The fact is this breach was wholly preventable. Hackers love to find the type of misconfiguration Thompson exploited because they are so common. They are also easily fixed as long as a company understands the risks and is prepared.
Managing Cloud Security
Capital One’s breach is a terrifying display of the often unspoken risks associated with using the cloud. Amazon’s AWS is the world’s largest cloud service provider with approximately 34 percent of all cloud computing services running off of their servers. The Amazon name may provide a false sense of security and consumers and companies alike often assume that the cloud is in and of itself a form of security. The cloud, however, is simply a platform and you as the data owner are still responsible for what is stored, how it is stored, and how that data is secured.
Amazon does offer tools for securing your information but it is still the end users responsibility to utilize and implement them. That requires more than simply flipping a switch. Protecting sensitive data stored on the cloud means using the right tools and developing strategies, policies, and procedures that will help you respond in the event of a breach.
The right tools should include the use of encryption to secure not just data on the cloud but data on any platform. Your data security strategies and protocols should take into account not just technical threats but also personnel threats. Thompson worked for AWS and insider threats must always be a concern. You may trust your employees, but they can quickly become a problem if you are not careful. A disgruntled employee or former employee may quickly turn around and weaponize their insider knowledge against you so it is important that you have procedures in place to make sure privileged credentials are closed and that employees are offboarded appropriately.
Thompson’s motives are still unclear. She did the bare minimum to cover her tracks and yet her full name was associated with the GitHub page. With a proper set of cyber security strategies and protocols for handling insider threats, Capital One could have potentially gotten out in front of the problem before it even became an issue. Instead Capital One now faces a potential civil class action, a congressional investigation, and a negligence investigation from the New York Attorney General that recently co-led the lawsuit against Equifax for its 2017 breach.