The Capital One Hack That Had Credit Card Users Asking Who’s in Their Wallet
In the summer of 2019, a hacker by the name of Paige A. Thompson gained access to Capital One’s customer data. This data included names, addresses, phone numbers, and other sensitive data Capital One collected when its customers applied for credit cards. This gigantic breach included sensitive data of approximately 100 million people.
The hacker also accessed 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 linked bank accounts.
Luckily, authorities identified the breach and apprehended her before she could do anything malicious with the information. According to Thompson, she simply stumbled onto the data while looking for misconfigured servers and never intended to use or sell what she found.
The technical name for this kind of hack is a Server Side Request Forgery (SSRF). This type of vulnerability is very serious and often affects organizations that use public cloud services like AWS. In an SSRF attack, a hacker will trick a server into connecting to another unauthorized server.
In this hack, an Amazon Apache server instance was misconfigured, allowing the hacker to access credentials provided by a metadata service. This metadata service was designed to only provide credentials internally to allow servers in the network to communicate with each other.
Thompson had worked for Amazon in the past and knew how to scan for this flaw in Apache servers. Once she found the flaw on Capital One’s Amazon server, it was easy to access the metadata server’s credentials, and once this kind of breach is accomplished, those credentials can access any data on the network.
Regular penetration testing or Threat Risk Assessments would have exposed this flaw in the Apache server configuration before Thompson (or someone else) found it. It is a common mistake, and the fix would have been simple.
The internet is a dangerous place for data. Fortunately, there are solutions for any security issues companies may face. The first step is getting a world-class security team like Canary Trap to take care of these issues before they turn into a bigger problem.