Estimated reading time: 2 minutes, 0 seconds

How Capital One’s Data Breach Happened and What’s Next

More details have surfaced about a massive data breach at Capital One as the fallout from the cyberattack continues to spread.

The breach led to the July 29 arrest of a former Amazon software engineer, Paige Thompson, on federal computer fraud charges. The suspect appears to have exploited a vulnerability that has long been widely known, reports Krebs on Security.

Although Capital One hosted operations in the cloud through Amazon Web Services, Thompson’s old work ties to Amazon do not seem to have been a factor. Instead, the hack involved a layer of security known as web application firewall. This was misconfigured in a way that enabled a well-understood type of attack called server side request forgery, or SSRF. “SSRF has become the most serious vulnerability facing organizations that use public clouds,” writes Evan Johnson, manager of the product security team at Cloudflare, in a recent blog post on Capital One. “The impact of SSRF is being worsened by the offering of public clouds, and the major players like AWS are not doing anything to fix it.”

Amazon pointed Krebs to resources that it said Amazon Web Services customers could use to reduce this sort of threat. “The intrusion was caused by a misconfiguration of a web application firewall and not the underlying infrastructure or the location of the infrastructure,” according to an Amazon statement.

Republican and Democratic lawmakers, including Sen. Elizabeth Warren (D-Mass.) and Rep. Jim Jordan (R-Ohio), have sent letters to Capital One CEO Richard Fairbank requesting information about the incident, reports Roll Call and Bloomberg. Jordan also wrote to Amazon CEO Jim Bezos.

Meanwhile, Capital One and GitHub, the code-sharing platform where the hacker had allegedly posted stolen information, face a federal class action seeking to represent the more than 100 million customers affected by the breach, reports Business Insider.

The Federal Bureau of Investigation has been investigating whether the suspect breached other organizations, reports The Wall Street Journal. Italian bank UniCredit and Michigan State University were named in a list of files purportedly posted by the alleged hacker.

The breach could have been worse, notes Security Boulevard. Cybersecurity pros at Capital One can take cold comfort in the fact that credit card numbers were not breached, nor were all but a fraction of the customers’ Social Security digits.

Still, a USA Today editorial calls for Capital One and other banks to rethink outsourcing information to the cloud.

Read 3078 times
Rate this item
(0 votes)

Visit other PMG Sites: