2019 Capital One Cyber Attack

How Paige Thompson Hacked the Capital One Firewall
The 2019 Capital One hack was committed by a transgender person going by the name Paige Thompson. Paige essentially committed the hack and bragged about it on social media in order get attention from others. This crime could be labeled a cry for help, as Paige was suffering from mental health issues as well. Paige was being held in the men’s detention center prior to trial but was released on grounds that the judge feared the defendant might self-harm himself due to inadequate mental health treatment in the facility (Stone, 2019). The trial for Paige is currently set for November 4th, 2020 (US Department of Justice, 2020).
While the actor’s motives and objectives have not been argued in the court of law, they can be fairly accurately surmised from news articles on the case. Thompson had worked for Amazon Web Services, which hosted the data for Capital One. Thompson exploited a misconfigured firewall on the servers and in doing so was able to obtain privilege escalation (Krebs, 2019). He did this by creating a program that would scan the web applications of all clients of AWS, searching in particular for that specific firewall misconfiguration. Once it was found for Capital One, Paige then set about downloading reams of data. All in all, approximately 100 million customers of Capital One had their data compromised by the hack. The only reason the hack was known about, however, was because the hacker posted his doings on GitHub, the programmer code-sharing social media site. Thompson obviously wanted to win the attention of other programmers, coders and hackers. But when a user on GitHub contacted Capital One about the possibility of a hack, based on the information posted by Thompson, Capital One reached out to the FBI. The FBI then traced the postings on GitHub back to Paige Thompson and an arrest was made (Krebs, 2019).
Based on that information, it is apparent that Thompson knew about the misconfigured firewall from time spent at AWS, and he used that knowledge to exploit the firewalls of clients and gain access to their data. That Thompson never actually used the information in a ransomware attack or to hold data hostage shows that the crime was never for personal gain but rather solely for attention. Considering Thompson’s other unusual posts and gender dysphoria, it is likely that this was a cry for help.
Thompson used knowledge from working at AWS to attack the systems of AWS, which is an ethics violation first of all. Thompson then wrote a script to scan the web applications. Though this is normal operating procedure for hackers, it is not something that most people would do unless they had criminal intent. Normally, however, hackers do this to gain financially. Thompson did not, which raises the likelihood of this being a mental health issue more than a criminal justice issue. While his strategy was successful because he had insider knowledge on AWS programming, his actions are what led to his being caught by federal agents. The need to show off and boast about what he had done led the authorities right to him. Typically, hackers try to remain anonymous and cover their tracks. Thompson not only gained access and left without raising any alarms about what he had done, he would have gotten away with it if he had not begun posting about his exploits on social media.
A common strategy used among hackers is to exploit end user weakness and gain entry into systems through phishing or spear phishing schemes. In this case, Thompson already knew of a weakness to exploit, having been a programmer at the hosting company responsible for securing companies’ data. Thompson did not have to go phishing to find an end user who would give up a password or provide access by clicking on a link; all Thompson had to do was scan applications to find an open door that would allow privilege escalation. Since so many companies outsource their hosting services, this is not necessarily something that Capital One would have known about. However, the public largely assumes that companies like Capital One will have enough security protections in place to prevent something as simple as this from happening.
This raises the question of how many times companies like Capital One are actually attacked and successfully hacked by third parties without anyone ever realizing it. If Thompson could do it and get away with it without anyone knowing, it is quite possible that hacks are occurring all the time, that data is being breached and stolen without anyone being the wiser. If this data were then being sold on the black market, who would know? Thompson could have potentially sold the stolen data on the black market and kept quiet about the entire incident and no news articles would have been written about it and no authorities would have been alerted. Yet because Thompson had mental health issues, he wanted everyone to know, and that is the only reason people today do know about the Capital One data breach. 100 million people were impacted, and they only know of that because the hacker himself confessed it to the world via GitHub.
The fact is that most companies should have testing procedures in place to prevent this sort of intrusion. The problem is that there is no fundamental federal legislation in place that requires companies to test for weaknesses—and until that legislation is in place the weaknesses will likely go on persisting. Companies are going to continue to outsource their IT needs to third party providers like AWS because third parties can specialize in that field and companies like Capital One can focus energy and resources on doing what it does best—finance. The problem today is that no company can solely exist in the business or field in which it provides services or products. It has to be dialed into the digital age and connected via the Internet of Things, because that is the nature of enterprise today. This places new technological demands on companies that should alter their risk management profiles. Unfortunately, companies are looking to cut corners in capital expenditures and they believe that if they outsource their IT needs, they are outsourcing the risk as well—but they are not, as the lawsuit leveled at Capital One should show.
Capital One failed to protect a vulnerability and in fact failed to even realize a vulnerability existed. It should have had a security team in place looking for these very types of vulnerabilities itself—but in order for that team to know what to look for it would have to be aware of the coding deficiencies, knowledge only likely to come from experience in the industry. Thus, a degree of experience and understanding is required for security teams to be effective. As with anything else, it is not simply a matter of hiring graduates with degrees and expecting them to know what to look for and where weaknesses are likely to be. Experts and experienced security personnel are needed, and the talent pool for this is not very deep considering the amount of need that actually exists in the world for this type of knowledge.
Capital One did do the right thing by contacting the FBI immediately; however, by then it is a little too late to stop the attack. Capital One was actually fortunate that the hacker did not have more malicious intentions. The situation could have easily been 1000 times worse than what it was.
The long-term impacts of the data breach are yet to be realized. Essentially, this was an isolated incident in which a disgruntled worker with mental health issues used programming to vent his frustration and draw attention for himself in what was a cry for help. The data was not used for exploitative purposes. The system configuration flaw was addressed and it overall highlights the need for companies to conduct better security reviews of their digital systems. Capital One has been sued, however, by the same company that went after Yahoo! and Equifax after their respective data breaches. As Equifax settled out of court with for $700 million and Yahoo! for $117 million, it is likely that Capital One would also settle for an amount somewhere between those two, based on the number of people impacted (Dellinger, 2019). Thus, the reality is that hacks of this nature may seem like no big concern but they can be immensely costly down the line. Thus, it is worth investing in security risk mitigation protocols.
In conclusion, the 2019 hacking of Capital One was an isolated incident in which a disgruntled programmer from AWS was seeking attention as a way to deal with mental health issues. Capital One was not targeted specifically; it was simply the company found to have an exploitable firewall weakness after Thompson wrote a script to scan AWS client web applications or a way in. The weakness could have been prevented had it been known about by Capital One’s data security team, but there was clearly a disconnect between the reality of the firewall and the team’s understanding. This is why communication between hosting providers like AWS and its clients’ security teams is important and should be conducted with more frequency.
References
Dellinger, A. J. (2019). Capital One Hit With Class-Action Lawsuit Following Massive Data Breach. Retrieved from https://www.forbes.com/sites/ajdellinger/2019/07/30/capital-one-hit-with-class-action-lawsuit-following-massive-data-breach/#4689f6226b1a
Krebs, O. S. (2019). Capital One data theft. Retrieved from https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/
Stone, J. (2019). Alleged Capital One hacker Paige Thompson to be released before trial. Retrieved from https://www.cyberscoop.com/capital-one-hacker-free-trial-paige-thompson/
US Department of Justice. (2020). US v. Paige Thompson. Retrieved from https://www.justice.gov/usao-wdwa/united-states-v-paige-thompson