(Bloomberg) — Capital One Financial Corp. set up an email address for tipsters — including “white hat” hackers — to alert the company to potential vulnerabilities in its computer systems. On July 17, the company got a hit.
“Hello there,” the email said, according to federal prosecutors. “There appears to be some leaked s3 data of yours in someone’s github/gist.” A link was provided to an account at GitHub, a company that allows users to manage and store project revisions, mostly related to software development.
It didn’t take Capital One long to figure out who had accessed its files. The GitHub address included a name, Paige Thompson, a former Amazon.com Inc. employee who used the online nickname “erratic” and discussed her exploits with others, according to federal prosecutors.
“I’ve basically strapped myself with a bomb vest, (expletive) dropping capitol ones dox and admitting it,” Thompson allegedly wrote, under the “erratic“ alias, in a June 18 Twitter message. “There ssns…with full name and dob” — an apparent reference to Social Security numbers.
Damage Assessment
It also didn’t take Capital One much time to assess the damage. On Monday, it announced that about 100 million people in the U.S. had been impacted by the breach, and another 6 million in Canada. The illegally accessed data, which was stored on servers rented from Amazon Web Services, was primarily related to credit card applications and included personal information, like names, addresses and dates of birth, and some financial information, including self-reported income and credit scores.
Most Social Security numbers were protected, but about 140,000 were compromised, the bank said. Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual.”
The company described the tipster to the hack as an “external security researcher.”
Thompson, 33, was charged with computer fraud and abuse. In a court hearing Monday, she broke down and laid her head on the defense table. On Tuesday, New York Attorney General Letitia James announced that her office is opening an investigation into the Capital One breach.
The scale of the breach ranks it as possibly one of the largest-ever impacting a U.S. bank, although the consequences may be limited if the data wasn’t distributed to others or used for fraud.
Capital One shares fell as much as 6.5% Tuesday morning, their biggest decline in six months.
Security Lapses
The breach shows how hackers can steal vast troves of consumer data as the result of lapses made by the companies that collect it. In 2017, Equifax Inc. failed to patch a known flaw in its servers, resulting in the theft of 145 million Social Security numbers, along with the names and dates of birth of possibly a third of the U.S. population.
In the Capital One case, Thompson was allegedly able to steal vast buckets of personal data because of an improperly configured firewall — among the most basic digital security tools. The bank said it immediately fixed the problem once it was discovered.
In a complaint filed Monday in Seattle, prosecutors said that Thompson accessed the data at various times between March 12 and July 17. A file on her GitHub account, timestamped April 21, contained a list of more than 700 folders and buckets of data, according to prosecutors.
The Capital One data had been stored on servers it contracted from a cloud computing company that isn’t identified, though the charges against Thompson refer to information stored on S3, a reference to Amazon Web Services’ popular data storage software.
An AWS spokesman confirmed that the company’s cloud had stored the Capital One data that was allegedly stolen, and said it wasn’t accessed through a breach or vulnerability in its systems.
Cloud Advocate
Capital One has been one of the most vocal advocates for using cloud services among banks. The lender has said it is migrating an increasing percentage of its applications and data to the cloud and plans to completely exit its data centers by the end of 2020. The move will help lower costs, the company has said.
The lender has been the subject of several case studies published by Amazon Web Services that noted the cloud services provider has helped the company develop new technologies faster and improve certain services including its call center.
“We have embraced the public cloud and are well on our way to migrating our applications and data to the cloud,” Chief Executive Officer Richard Fairbank told analysts on a conference call in April. “We are now considered one of the most cloud forward companies in the world.”
Thompson, previously an Amazon Web Services employee, last worked at Amazon in 2016, a spokesman said. The breach described by Capital One didn’t require insider knowledge, he said.
‘Wa Wa Wa’
Much of what could be learned about her Monday was information she had posted online. On her GitHub Account, she was writing code dealing with The Onion Router, or Tor, an anonymity tool that allows users to conceal their identities. Capital One investigators determined that Thompson used it in her hack of the bank, according to federal prosecutors.
In online interactions, Thompson suggested she was careful to hide her digital tracks with various security tools, including Tor. But the federal complaint against her outlines relatively simple ways Capital One and the FBI were able to establish her identity, including the name on her GitHub Page.
Thompson was active in the hacking community on Twitter, and she wrote recently about struggling emotionally, and about euthanizing her beloved cat.
On June 27, “erratic” posted about several companies, including Capital One, in an online group, according to court records.
“don’t go to jail plz,” another user wrote.
“Wa wa wa wa, wa wa wa wa wa wa wawaaaaaaaaaaaa,” Thompson responded, and later added, “I just don’t want it around though. I gotta find somewhere to store it.”
On July 29, Federal Bureau of Investigation agents executed a warrant to search Thompson’s residence. In one bedroom, they found digital devices with files that referenced Capital One and its cloud computing company. The devices also included the alias “erratic.”
(Updates with New York attorney general investigation in eighth paragraph.)
–With assistance from Matt Day and Michael Riley.
To contact the reporters on this story: Christian Berthelsen in New York at [email protected];William Turton in New York at [email protected];Jenny Surane in New York at [email protected]
To contact the editors responsible for this story: Andrew Martin at [email protected], Peter Elstrom
For more articles like this, please visit us at bloomberg.com