The woman responsible for the Capital One hack reportedly pulled it off through a vulnerability in the cloud.
Last week Capital One revealed that on July 19 it discovered that there was unauthorized access by an outside individual, adding that it immediately fixed the configuration vulnerability that was exploited and immediately notified federal law enforcement. The FBI arrested a Seattle area woman, Paige A. Thompson, on a charge of computer fraud and abuse.
Thompson is a former employee at Amazon’s cloud-computing unit, and was allegedly able to find an opening in the financial institution’s systems and exploit a weakness in certain misconfigured networks, according to The Wall Street Journal.
The gap is not a surprise. In fact, security professionals have been warning about it for years. Thompson even boasted about using techniques to access the sensitive data in online forums.
Through the gap, Thompson was able to access a central piece of Amazon’s cloud technology known as its metadata service, which holds the credentials and other data needed to manage servers in the cloud. After looking at her online messages, the WSJ reported that Thompson first ran a scan of the internet in March to find vulnerable computers. She eventually discovered one managing communications between Capital One’s cloud and the public internet with weak security settings, and was able to access the data from there.
“Dude, so many people are doing it wrong,” Thompson said in a June 27 online message, speaking about how some companies were incorrectly configuring their servers.
Once she found the Capital One data, she was able to download it without triggering any alerts. In fact, Capital One didn’t discover the breach until 127 days later.
Amazon said in a statement that none of its services were the underlying cause of the break-in, but some experts said the company isn’t doing enough to make its customers aware of these issues.
Thompson, who is still being detained by authorities, implied in an online posting that she has used these same techniques to target other companies’ cloud-computing accounts, including Italian bank UniCredit SpA and Ford Motor Co. Both companies have said they are looking into it, and the FBI has opened up an investigation into other potential targets.