The Washington PostDemocracy Dies in Darkness

Capital One looked to the cloud for security. But its own firewall couldn’t stop a hacker.

Capital One says a hacker accessed roughly 100 million credit card applications in the United States. Federal prosecutors say the breach also included 140,000 Social Security numbers and 80,000 bank account numbers. (Jeff Chiu/AP)

In 2015, Capital One’s chief information officer, Rob Alexander, promoted the steps the bank had taken to protect its financial data. In his keynote address at an Amazon Web Services conference, Alexander said Capital One had looked to AWS to meet customer demand, cut back on its data centers and boost security, especially since “the financial services industry attracts some of the worst cybercriminals."

Four years later, Capital One was ensnared in one of the largest-ever hacks of a big financial institution. And in the end, its embrace of cloud services couldn’t save roughly 100 million credit card applicants in the United States from having their data compromised.

Instead, federal agents in Seattle arrested 33-year-old Paige A. Thompson, who is accused of breaking through a misconfigured Capital One firewall. The hole meant a hacker could reach the server where Capital One was storing its information and access customer data.

Paige Thompson, Capital One hacker suspect, left a digital trail

Amazon told the New York Times that its cloud had stored the stolen Capital One data. But the bank said that “this type of vulnerability is not specific to the cloud,” adding that it was able to quickly diagnose and fix the issue because of its “cloud operating model.” Amazon told the Times that it found no evidence that its underlying cloud services were compromised.

Amazon did not respond to a request for comment Tuesday. (Amazon founder and chief executive Jeff Bezos owns The Washington Post.)

Capital One says data breach affected 100 million credit card applications

On Monday, the Virginia-based bank said a hacker had accessed roughly 100 million credit card applications. Federal prosecutors say the breach also included 140,000 Social Security numbers and 80,000 bank account numbers, culled from tens of millions of credit card applications. Capital One said the data came from credit card applications that customers and small businesses submitted from 2005 to early 2019. The bank said the hack will cost the company $100 million to $150 million in the near term.

The hack comes just days after Equifax, a credit reporting company, announced it had reached a $700 million settlement with federal regulators over a 2017 cyberattack that exposed the personal information of 147 million people.

Capital One breach: U.S. v Paige Thompson (aka 'erratic')

Capital One has been a leading advocate in the banking world for cloud services. The company is migrating more of its applications and data to the cloud, Bloomberg reported, and plans to be done with its data centers by the end of 2020. Other financial firms have been more wary of cloud services, largely for security reasons.

Cloud-hosting services like AWS are especially attractive to companies looking to cut costs, said Jonathan Stone, chief technology officer for the IT consulting firm Kelser. Building and running data centers carries a hefty price tag, often tens of millions of dollars. But with a third-party service, “you can be an expert in your business and not necessarily have to know how all the plumbing works,” Stone said.

Here’s how to make sure you’re safe after the Capital One hack

But that assurance didn’t protect Capital One from its own firewall issue that federal officials say allowed Thompson to break through. Thompson was an AWS employee who last worked at Amazon in 2016, a company spokesman told Bloomberg. The spokesman noted that the breach Capital One described did not require insider knowledge.

Before the hack, Capital One set up an email address for tipsters to raise alarms about potential holes in the company’s systems. According to federal prosecutors, the bank received one email suggesting leaked data had shown up on GitHub, a site for collaborating on software code.

The posts linked to Thompson’s name, her email address and other online records belonging to her, court documents show. Thompson used the online nickname “erratic” and openly talked about her hacks, federal prosecutors said.

Stone said that while Capital One missed the firewall vulnerability on its own, the bank moved quickly once it did. That certainly was helped by the fact that the hacker allegedly left key identifying information out in the open, Stone said.

But the hack also raises questions about how companies handle and store historical data, like credit card applications going back more than a decade.

“The more stuff you have laying around,” Stone said, “the more chance you have of something bad happening with it.”