Organizations regularly accumulate vast amounts of sensitive information as part of their daily operations. This is especially true of financial institutions, which have access to sensitive information about their customers in the form of financial history, purchase data, and other personal information.
Organizations with the ability to collect and process such large amounts of sensitive data have a responsibility to appropriately protect it as well and prevent a data breach. However, recent history has demonstrated that many organizations do not or cannot implement the security protection necessary to ensure that hackers cannot gain access to their customers’ personal data. As a result, customers suffer the damage caused by companies’ inability to protect their data.
The latest major organization to suffer a large-scale data breach is Capital One. The financial institution was infiltrated by a hacker who managed to steal the personal data of over 100 million of the bank’s customers. Understanding the details of the data breach and where Capital One went wrong in its cybersecurity strategy and operations is important for other organizations wishing to avoid following in the bank’s footsteps.
Inside the Breach
July 2019, Capital One was informed that they had suffered a significant breach of sensitive customer data. The breach affected 100 million Americans and 6 million Canadians. Breached data included the following:
- Names
- Addresses
- Zip/postal codes
- Phone numbers
- Email addresses
- Birth dates
- Self-reported income
- Social Security Numbers (140,000 Americans)
- Social Insurance numbers (1 million Canadians)
- Linked bank account information (80,000 accounts)
Based upon their analysis of the breach, Capital One believes that the information stolen by the attacker was not provided to third parties or used for malicious purposes. However, the scope of the breach is significant, as is the sensitivity of the information exposed.
Capital One learned of the breach due to the efforts of a white-hat hacker who found a disclosure posted online by the attacker. The attacker apparently has breached a number of different organizations and posted information about their crimes on Slack, Twitter, and the Github website. As a result, Capital One was able to respond quickly to the breach once it was brought to their attention.
Investigation of the breach revealed that it was accomplished by taking advantage of a poorly configured and secured cloud deployment and web application firewall (WAF). The attacker was a former employee of AWS, where the bank’s sensitive data was stored. By taking advantage of a misconfiguration error in Capital One’s WAF, the attacker was able to use the privileges granted to the WAF to perform privileged actions on the organization’s AWS deployment, granting her access to the bank’s sensitive data.
Causes of the Breach
This breach was made possible by a number of different security mistakes and shortcomings on behalf of Capital One. The reason that the attacker was able to perform privileged commands on the Capital One AWS account was due to issues in how the organization deployed and configured their WAF. While the organization’s cloud deployment may have been appropriately deployed and locked down against attack, their WAF was granted elevated permissions as part of its role in protecting the data stored on the cloud. By taking advantage of a vulnerability called server-side request forgery, the attacker was able to control the requests being made by the WAF server to the AWS instance. Since this WAF had privileged access to the data, the same privileges were available to the attacker as well.
However, this vulnerability wouldn’t have been enough to make the breach possible. The actions taken by the attacker to access Capital One’s data may not have violated permissions on the AWS instance, but they were unusual and would have been detected by appropriate monitoring of the sensitive data. If the organization had deployed a data security solution capable of detecting anomalies in access to sensitive data, the intrusion would have been revealed immediately, if not prevented outright by the data security solution.
Protecting Your Data
The Capital One breach should serve as a warning to organizations that routinely collect and store customers’ personal and protected information. Capital One is known as an extremely tech-savvy business and was an early adopter of cloud computing. However, an openness to new technology doesn’t always mean that an organization is using it correctly.
In this case, Capital One was doing several things right. Deploying a web application firewall is an important component of most organizations’ security strategy. Many organizations have web apps designed to allow customers to easily access their information and manage their accounts online. These web apps are a common target of attack and deploying a good WAF is an important step in protecting them.
Where Capital One’s security fell apart is in the step beyond buying and deploying the security solution. A security appliance is only effective if it is correctly configured, managed, and monitored. The fact that the Capital One attacker gained access to their sensitive data by abusing a misconfigured WAF demonstrates that a security strategy is an ongoing process, and that these security devices can be a danger if not used appropriately.