Fears over cloud cybersecurity are mounting after a massive data breachOpens a new window at Capital One.
The country’s 10th largest bank revealed last week that a hacker had gained access to the personal data of more than 100 million customers stored in the cloud in one of the biggest data breaches in history.
FBI agents arrested Seattle systems engineer Paige Thompson shortly after the breach was announced. According to a Justice Department complaint, Thompson previously worked at a cloud hosting company used by Capital One, though it didn’t specify which. Amazon Web Services confirmed that Thompson worked there three years ago.
Capital One says the hacker accessed the personal data of credit card applicants, including names, addresses, phone numbers, income, credit scores and payment history. The hacker gained access to 140,000 Social Security numbers, one million Canadian Social Insurance numbers and 80,000 bank account numbers. The data was stored in the AWS cloud.
Capital One uses its own web application to handle data in the cloud, court papers say, adding that Thompson breached the application after a “firewall misconfiguration†left a cloud server vulnerable
The nightmare scenario
The case appears to confirm the worst fears of businesses about storing data in the cloud.
Many financial institutions have declinedOpens a new window to migrate customers’ personal data to the public cloud, citing security concerns and unease about sharing cloud capacity with rivals. Instead, they have tended to maintain their own data centers or have adopted private cloud strategies where data is protected by their own internal fire walls.
Capital One stands out from other financial institutions in its adoption of the public cloud, proudly unveilingOpens a new window its cloud strategy on the main stage at an AWS event in 2015.
The bank sees itself as a technology-drivenOpens a new window company and has moved many of its apps on to AWS. It views security as one of the big pluses of moving data on to AWS because the cloud vendor could leverage its specialized knowledge to update security systems faster and more effectively than any financial institution.
But was Capital One’s faith in cloud security misplaced?  Perhaps not. The Verge websiteOpens a new window casts doubt on whether the breach was a cyberattack in the usual sense. “The closer you look, the stranger the story is,†says the site.
It points out that Thompson, an experienced systems engineer, appeared to have taken no steps to cover her tracks when accessing the data and that she was easily tracked down.
There is no information on what she did with the data, but neither is their evidence that she tried to sell it. And the site says that the vulnerability in the firewall was a misconfiguration rather than an exploit – leading some to wonder if Thompson might have been a well-intentioned researcher who went a little too far.
Unusual data theft
This may not have been data theft in the traditional sense. But even if the attack was carried out with malicious intent, some analysts believe that the cloud is still far safer than company-owned data centers. The breach, they say, was not so much a cloud security issue as the action of an individual worker.
As the data collected by businesses explodes, they are finding their own data centers are ill-equipped to handle the flow. They are increasingly renting compute power and storage space from third party vendors – cloud providers such as AWS, Microsoft Azure and Google Cloud. But in the process, they are putting the security of their data into the hands of separate companies.
Data regulators place the onus squarely on the shoulders of data controllers to protect personal data from theft or corruption.
Huge fines have been levied on companies for data breaches. EquifaxOpens a new window has agreed to pay up to a $700 million penalty for a data breach in 2017 that affected more than 147 million customers. Hackers exploited a weakness in a company database, showing that on-premise data storage is vulnerable to attack.
In Capital One’s case, an investigation has been launched by the New York state attorney general’s office, which says that personal-data safeguards were lacking. Depending on the outcome, the bank could face a substantial fine.
More will become known as the case unfolds, but it suggests that insider cyber threats can be just as devastating as those launched from outside a company’s network.