Incident: Capital One Data Breach via Misconfigured Firewall on AWS Cloud

Published Date: 2019-07-29

Postmortem Analysis
Timeline 1. The software failure incident involving Capital One and the hack by Paige A. Thompson occurred between March and July of 2019 as reported in Article 87169.
System 1. Capital One's misconfigured firewall system [86964, 87169] 2. Capital One's infrastructure [87169]
Responsible Organization 1. Capital One's misconfigured firewall allowed the hacker to access customer data [86964, 87169] 2. Paige A. Thompson exploited Capital One's systems to steal data stored on Amazon's Web Services cloud [86964, 87169]
Impacted Organization 1. Capital One [86964, 87169] 2. Amazon [86964, 87169]
Software Causes 1. Misconfigured firewall in Capital One's infrastructure allowed the hacker to access customer data [86964, 87169] 2. Vulnerability in Capital One's systems, not specific to the cloud, enabled the breach [86964, 87169] 3. Exploitation of a 'misconfiguration' in the firewall of Capital One's infrastructure [87169]
Non-software Causes 1. Misconfigured firewall at Capital One allowed the hacker to access the server storing customer data [86964, 87169] 2. Lack of proper encryption by the hacker, leaving her full name in the IP address [87169] 3. Inadequate data protection measures at Capital One, leading to the breach [87169]
Impacts 1. Approximately 100 million credit card applicants in the United States had their data compromised, including 140,000 Social Security numbers and 80,000 bank account numbers [86964]. 2. The hack is estimated to cost Capital One $100 million to $150 million in the near term [86964]. 3. The incident raised questions about how companies handle and store historical data, such as credit card applications dating back more than a decade [86964]. 4. Capital One set up an email address for tipsters to raise alarms about potential holes in the company's systems, indicating a need for improved cybersecurity measures [86964]. 5. The hack led to concerns about the security of cloud services, as Capital One was a leading advocate for cloud services in the banking industry [86964]. 6. The breach highlighted the importance of quickly diagnosing and fixing vulnerabilities in systems to prevent data breaches [86964]. 7. The incident resulted in increased scrutiny on data protection and customer privacy practices in the financial industry, following other high-profile data breaches like the Equifax breach [87169].
Preventions 1. Proper firewall configuration and regular security audits could have prevented the software failure incident [86964, 87169]. 2. Implementing stricter access controls and monitoring of data access could have helped in detecting unauthorized access earlier [86964, 87169]. 3. Improved employee training on cybersecurity best practices and awareness of potential vulnerabilities could have prevented the breach [87169]. 4. Utilizing encryption techniques for sensitive data stored in the cloud could have added an extra layer of security [87169]. 5. Timely response to potential security threats reported by external sources, such as the tip received via email, could have prevented the data breach [87169].
Fixes 1. Properly configuring the firewall to prevent unauthorized access to the server storing sensitive data [86964, 87169] 2. Implementing routine scanning and vulnerability assessments to identify and fix potential weaknesses in the infrastructure [87169]
References 1. Capital One's official statements and disclosures 2. Federal prosecutors 3. Amazon 4. FBI 5. Court documents 6. Twitter posts by the suspect, Paige Thompson 7. Meetup page used by Thompson 8. Slack chat conversations 9. Equifax settlement details 10. New York Attorney General Letitia James 11. Washington policymakers

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: - Capital One experienced a previous data breach incident in July 2017 where customer data may have been compromised by one of the company's employees [Article 87169]. (b) The software failure incident having happened again at multiple_organization: - Equifax, another company in the credit-reporting industry, also faced a massive data breach in 2017 that compromised the personal information of 143 million Americans [Article 87169].
Phase (Design/Operation) design, operation (a) The software failure incident in the Capital One hack was primarily due to a misconfiguration in Capital One's firewall, which allowed the hacker to access the server where customer data was stored. This misconfiguration was a contributing factor introduced during the system development or system updates. The breach was not attributed to Amazon's cloud services but rather to a vulnerability in Capital One's infrastructure [86964, 87169]. (b) The operation of the system also played a role in the software failure incident. The hacker, Paige Thompson, exploited the misconfiguration in Capital One's firewall through the operation of the system, gaining unauthorized access to sensitive customer data stored on Amazon's Web Services cloud. Thompson's actions in breaking into the bank's systems and stealing data were a result of the operation of the system [86964, 87169].
Boundary (Internal/External) within_system (a) within_system: The software failure incident at Capital One was primarily due to contributing factors that originated from within the system. The incident involved a misconfigured firewall within Capital One's infrastructure that allowed the hacker to access and steal data stored on Amazon's Web Services cloud [86964, 87169]. Additionally, the vulnerability in Capital One's system was exploited by the hacker, Paige Thompson, who was able to break through the firewall and access sensitive customer data [87169]. (b) outside_system: There is no clear indication from the articles that the software failure incident at Capital One was primarily due to contributing factors that originated from outside the system. The focus of the incident was on the internal misconfiguration of the firewall within Capital One's infrastructure that led to the data breach [86964, 87169].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The software failure incident at Capital One was primarily due to a misconfigured firewall that allowed a hacker to access the server where customer data was stored [86964]. - The breach was facilitated by a misconfiguration in Capital One's infrastructure, specifically a misconfigured firewall, which enabled the hacker to access the data stored on Amazon's Web Services cloud [87169]. (b) The software failure incident occurring due to human actions: - The hacker, Paige A. Thompson, was accused of breaking through the misconfigured Capital One firewall to access customer data [86964]. - Paige Thompson, a former Amazon engineer, was arrested for allegedly hacking Capital One's systems to steal data stored on Amazon's Web Services cloud [87169]. - Thompson exploited a misconfiguration in the firewall of Capital One's infrastructure to gain unauthorized access to the data [87169]. - Thompson left a trail of breadcrumbs by posting about the hack online and even discussing it on social media, which ultimately led to her identification and arrest [87169].
Dimension (Hardware/Software) software (a) The software failure incident occurring due to hardware: - The software failure incident involving Capital One's data breach was not directly attributed to hardware issues but rather to a misconfigured firewall that allowed a hacker to access the server where customer data was stored [86964, 87169]. (b) The software failure incident occurring due to software: - The software failure incident at Capital One was primarily caused by a misconfigured firewall, which was a software issue that allowed the hacker to breach the system and access customer data [86964, 87169].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case was malicious. The incident involved a hacker, Paige A. Thompson, who intentionally broke through a misconfigured Capital One firewall to access and steal data from the bank's servers. Thompson, a former Amazon engineer, exploited a vulnerability in Capital One's infrastructure to steal the personal information of approximately 100 million credit card applicants in the United States, including Social Security numbers and bank account numbers [86964, 87169]. (b) The software failure incident was non-malicious in the sense that it was not caused by unintentional errors or faults in the system. Instead, it was a deliberate act of hacking by an individual with the intent to steal sensitive data from Capital One's systems. The breach was not a result of accidental misconfigurations or software bugs but rather a targeted attack on the bank's infrastructure [86964, 87169].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident: - The software failure incident involving Capital One's data breach was primarily due to poor decisions made in terms of cybersecurity measures and infrastructure setup. The breach occurred due to a misconfigured firewall at Capital One, which allowed the hacker to access customer data stored on Amazon's Web Services cloud [86964, 87169]. - The hacker, Paige A. Thompson, exploited a misconfiguration in Capital One's infrastructure, not Amazon's, to gain unauthorized access to the data. This misconfiguration in the firewall was a critical factor that led to the breach [87169]. - Thompson's actions, including openly discussing the hack online and leaving identifying information, indicate a deliberate attempt to breach the system and steal data. However, the vulnerability in Capital One's infrastructure played a significant role in enabling the hack to occur [87169].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident in the Capital One hack can be attributed to development incompetence. The breach occurred due to a misconfigured firewall at Capital One, which allowed the hacker to access the server storing sensitive customer data [86964, 87169]. This misconfiguration was a result of a vulnerability in Capital One's infrastructure, not Amazon's cloud services, indicating a failure in the development and implementation of secure systems by Capital One's IT team. (b) Additionally, the incident can also be categorized as accidental. The hacker, Paige Thompson, exploited a misconfiguration in Capital One's firewall accidentally, gaining unauthorized access to the data stored on Amazon's Web Services cloud [87169]. Thompson's actions, although intentional, were accidental in the sense that she stumbled upon the vulnerability and exploited it without specific insider knowledge or malicious intent towards stealing money [87169].
Duration temporary The software failure incident related to the Capital One hack can be considered temporary. The incident occurred due to a misconfiguration in Capital One's firewall, which allowed the hacker to access the data stored on Amazon's Web Services cloud [86964, 87169]. This misconfiguration was a contributing factor introduced by certain circumstances, specifically the vulnerability in Capital One's infrastructure, rather than a permanent failure caused by all circumstances. The breach was not a result of an inherent flaw in the cloud services provided by Amazon, as both Amazon and Capital One clarified that the underlying cloud-based infrastructure was not compromised [86964, 87169].
Behaviour crash, other (a) crash: The software failure incident in the articles can be categorized as a crash. The incident involved a hacker breaking through a misconfigured Capital One firewall, allowing unauthorized access to customer data stored on the server. This unauthorized access led to the compromise of data of roughly 100 million credit card applicants in the United States [86964, 87169]. (b) omission: There is no specific mention of the software failure incident being caused by the system omitting to perform its intended functions at an instance(s) in the articles. (c) timing: The software failure incident is not related to the system performing its intended functions correctly but too late or too early. (d) value: The software failure incident does not involve the system performing its intended functions incorrectly. (e) byzantine: The software failure incident does not exhibit the system behaving erroneously with inconsistent responses and interactions. (f) other: The behavior of the software failure incident can be described as a security breach due to a misconfigured firewall that allowed unauthorized access to sensitive customer data stored on the server, leading to a significant data compromise [86964, 87169].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) Property: People's material goods, money, or data was impacted due to the software failure. The software failure incident involving Capital One resulted in the compromise of personal information of approximately 100 million credit card applicants in the United States, including 140,000 Social Security numbers and 80,000 bank account numbers [86964]. The breach exposed sensitive data such as names, addresses, phone numbers, email addresses, dates of birth, and self-reported income of individuals who had applied for credit card products from 2005 to early 2019 [87169]. Additionally, the incident is estimated to cost Capital One $100 million to $150 million in the near term [86964].
Domain finance (a) The failed system was related to the finance industry, specifically affecting Capital One, a financial institution [86964, 87169].

Sources

Back to List