Capital One identity theft hacker finally gets convicted

Remember the Capital One breach?

We did, though we felt sure it had happened a long time ago.

Indeed, when we checked, it had: the story first broke almost three years ago, back in July 2019.

At the time, the company reported:

Capital One Financial Corporation announced […] that on July 19, 2019, it determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers.

And we noted that:

So far, there are no details to suggest what sort of vulnerability was exploited, and therefore no indication of what has now been changed and how permanent or effective the fixes might be.

Was the breach down to an unpatched security bug, poor password choice, incorrrect access control, a cloud-related configuration blunder, or what?

All we knew back then was that this was a huge breach by any standards, affecting at least:

  • 100,000,000 users in the USA
  • 6,000,000 users in Canada
  • Any consumer or small business who applied for a credit card in the previous 14 years.
  • Personal data including names, addresses, zip codes, phone numbers, email addresses, dates of birth, and income.

Some customers also lost yet more intimate personal information such as credit scores, credit limits, balances, payment history, contact information, social security numbers (SSNs) and bank account numbers.

Fortunately, if that’s the right word in a case like this, “only” about 150,000 victims actually had their SSNs exposed (in the US, SSNs are effectively lifelong unique national ID numbers), meaning that about 99.9% of victims escaped that fate.

The cost of the breach

This breach cost Capital One dearly in more than one way.

Even though the company was itself the victim of a cybercrime, it was ultimately hit with a $190,000,000 class action settlement plus an $80,000,000 fine from the US Office of the Comptroller of the Currency (OCC).

The OCC noted:

[We] took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner. In taking this action, the OCC positively considered the bank’s customer notification and remediation efforts.

As you will notice from the OCC’s remarks above, the breach ultimately came down to poor cloud security, with data apparently exposed due to being shifted from a privately-controlled data store into the cloud.

There’s no reason why a public cloud deployment can’t be done securely, of course, but the potential consequences if it isn’t are huge.

A publicly visible cloud server is open to a much broader ranges of probes, attacks and hacks – what’s known in the jargon as “having a much larger and more exposed attack surface”.

Intriguingly, the fact that this was a cloud-related breach was quickly revealed after Capital One notified its customers of the attack, because the alleged perpetrator was soon arrested.

Cloud “anti-security” scanning

Paige Thompson, who was 33 at the time, was accused of the attack, apparently using what you might call “anti-security” tools of her own devising to scan cloud providers for vulnerable and misconfigured services, and from there to recover access credentials, gain acccess, exfiltrate data and infiltrate malware.

At the time, the US Department of Justice (DOJ) suggested that Thompson hadn’t tried to sell on the stolen data, but that she had used compromised services for what’s known as cryptojacking.

That’s where crooks deliberately install cryptomining software on other people’s devices – all the way from laptops and mobile phones, through powerful gaming rigs, to physical and virtual servers.

The victims end up paying for the electricity, cooling and server time, while the crimimals accumulate any cryptocurrency that gets earned in the process.

Anyway, the DOJ has just announced that Thompson has now been convicted, though she will only be sentenced in September 2022:

Thompson was found guilty of [w]ire fraud, five counts of unauthorized access to a protected computer and damaging a protected computer. The jury found her not guilty of access device fraud and aggravated identity theft.

Using Thompson’s own words in texts and online chats, prosecutors showed how Thompson used a tool she built to scan Amazon Web Services accounts to look for misconfigured accounts. She then used those misconfigured accounts to hack in and download the data of more than 30 entities, including Capital One bank. With some of her illegal access, she planted cryptocurrency mining software on new servers with the income from the mining going to her online wallet. Thompson spent hundreds of hours advancing her scheme, and bragged about her illegal conduct to others via text or online forums.

In the DOJ’s words, “Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.”

What to do?

  • If you want to get started in cybersecurity, read the rules and follow them. Many companies publicly endorse research-style “hacking” against their systems, and offer to pay so-called bug bounties to ethical researchers who responsibly report any holes they find so they can be fixed before they can be exploited by cybercriminals. But bug-bounty programmes almost always have explicit rules and clear limits to what is considered in scope. If you don’t follow the rules (for example, if you try to use your findings as a form of “bug blackmail”, or if you deliberately disrupt services or steal data when that wasn’t necessary to prove your point) then you are unlikely to be treated with much sympathy.
  • Routinely and regularly scan your own on-line assets for security weaknesses. As this case shows, if you don’t scan your cloud resources to look for configuration errors and exposed data, then the crooks will do it for you.
  • Practise what you will say and how you will react if you do get breached. Even though Capital One ended up with an $80m fine in this case, the regulators did note that they “positively considered the bank’s customer notification and remediation efforts”, meaning that things would almost certainly have been much worse if Capital One had tried to sweep things under the carpet. Prompt reaction may also give law enforcement a chance to collect evidence before it can be destroyed.

Planning in case you fail doesn’t mean that you are planning to fail, and you’ll probably find that your preparations make it less likely that you will fail, anyway.



go top