Blog

gradient network wave

How the Capital One Hack Could Have Been Detected Sooner

Guest post by Sam Bocetta!

Sam is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefense, and cryptography.


Another day, another major data breach. This time, it’s from Capital One bank, a major credit card company based out of McClean, Virginia. Although the hacker in this case was found and arrested in record time, this breach could have been detected before some 100+ million customers had their data accessed.

The breach was caused, according to the best information we have at the moment, by an insider (former employee of the web hosting company) who obtained the AWS IAM keys for Capital One S3 bucket. That’s a pretty embarrassing mistake to make for a huge, multinational financial services company, and so it’s no surprise that all the companies involved in the breach are blaming each other. The fact remains, though, that someone messed up, and that the breach could have easily been avoided.

What Happened With Capital One?

On July 19, 2019, a former employee of Amazon Web Services accessed credit card applications submitted to the company between 2005 and earlier this year. The database contained names, addresses, and other personal information of 106 million customers in the US and Canada.

While the company claims that there’s no evidence that the breach was for financial gain or to disseminate the information, there is some evidence that the hacker, Paige Thompson of Seattle, toyed with the idea of releasing the information for sale on the dark web on several forums. It has also been reported that she may have breached more than 30 organizations.

The database was accessed due to a configuration vulnerability which was discovered by an outside cyber security firm on July 19. Capital One released an apology to customers and offered free credit monitoring and identity protection for one year to those affected. While no customers have been harmed financially so far, Capital One is expected to lose between $100 million and $150 million in breach mitigation costs.

In some ways, the Capital One breach is a typical example of how data breaches occur in 2019. Two features of the hack have become depressingly familiar in recent years: it seems to have been motivated by a disgruntled employee who still had access to critical systems, and could have been prevented had the Capital One been following basic security precautions.

How the Capital One Breach Could Have Been Detected Sooner

Capital One is among the first credit card companies to move fully to a public cloud-based business model. They hired Amazon Web Services, one of the oldest cloud computing companies, to manage their platform. The company states that there was no flaw on their end. A misconfigured firewall on the server side of the equation was to blame.

Thompson was able to access data that Capital One had stored on servers maintained by their cloud provider. These servers are protected by firewalls that automatically detect and shut down any incoming connection from a non-trusted source. That’s what should have happened in this case, had someone not forgotten to configure the firewall properly.

Though Capital One was quick to point the finger of blame at AWS, Amazon just as quickly denied the charge: “The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure,” an Amazon spokesperson said in a statement.

Cybersecurity experts agree. Several experts told the Houston Chronicle that the mistake is far more likely to have occurred within Capital One. They also noted that had the servers undergone proper penetration testing, the vulnerability would have easily been detected far in advance of the breach occurring.

The incident also points to some deeper issues. More and more companies are now using cloud-based storage solutions, because of the increased speed and scalability that these provide. However, as more companies are involved in maintaining the same system, it becomes difficult to assess the responsibility (and blame) of each one. Instead, each company relies on the other to keep data safe, and blames the other when something goes wrong.

Fortunately, the solution to this is pretty simple: all companies should have in place a robust performance management system.

When you have a robust monitoring system, it provides teams with an overview about what is happening within the data center, be it your AWS Cloud account or Azure cloud or on premise data center.

In this case, IT system administrators could configure the IT monitoring system to set alerts on normal threshold vs abnormal threshold. For example, the hacker in the Capital One scenario downloaded terabytes of data which means a lot of data transfer activities. In IT terminology, this should have shown some spikes on Network In and Network Out metrics. Having proper thresholds on data transfer activities could have alerted the administrators and reduced the impact of the hacker actions.

The Advantages of Performance Monitoring Service

Cyber crime is something that all of us need to worry about, whether we’re individuals, eMerchants, or security professionals. Customer databases are especially attractive targets for hackers because they often contain account numbers and personal identification information that fetch a nice bounty when sold on the Dark Web.

However, as networks get more complex, access control and log monitoring are not enough. In the case of Capital One, access was gained by someone with some level of privilege and knowledge of how to get into their customer databases. This means that business owners must be aware of the security protocols that are in place on every system that they use, from cloud storage providers to web hosts, from their email marketing tools to their social media accounts.

That means prevention is not enough.

One of the surest ways to protect your website and reputation is through a system of comprehensive performance monitoring. Through such oversight, you can determine if any area has been infiltrated through a forensic analysis to detect inconsistencies between the log record and physical storage.

Practiced cyber criminals can still bypass log audits by erasing all evidence from the history of SQL queries but it still leaves traces of their presence on the disk storage record and RAM. Attempting to access the OS to tamper with this log is too risky for all but the most reckless hackers.

The Bottom Line

Had Capital One put in place quality performance monitoring tools, it’s unlikely that the recent breach would have occurred. Consumers and business owners are disheartened whenever information about a huge hack hits the news. It reinforces fears of identity theft and financial ruin. We worry because if governments and huge corporations can’t protect data, how can individuals and SMBs?

We can’t afford to take data integrity for granted. The first step toward more comprehensive cyber security is knowing where breaches are possible. The second is using available tools and monitoring systems diligently and consistently.