Historical Hacks: Capital One (2019)
There is no state actor in today's historical hack because this one was almost an inside job.
If you aren’t a medium member, you can read with no paywall via substack
When you’re doing a security assessment, you’re typically looking at how to harden or protect your systems from external threats. This is why many attacks emphasise the importance of strategies like social engineering. By gaining access to the inside of a system, you’ll typically be able to navigate your way around much easier than you could if you had to breach it from the outside.
Because of this, cyber security often places a lot of emphasis on the importance of stopping these social engineering attacks by educating its users and providing resources to help stop social engineering attacks from occurring in the wild. And while this is admirable stuff there is one glaring oversight with this approach. Namely, what steps do you take to prevent a bad actor from becoming a part of your team? In today’s historical hack, we’ll be exploring just that as we take a look at a recent data breach that ended up being quite close to an inside job. It is, of course, the Capital One breach. Let’s check it out!
The Background
A United States-based company that provided a vast array of financial and banking services, Capital One was one of America’s largest banking providers. Offering everything from auto loans to credit cards, to consumer banking services it was a titan of the American banking industry, even playing a role in the mass adoption of consumer credit cards.
By the time 2019 came around, it had been through several acquisitions and was a large-scale user of cloud-based operating systems like those provided by AWS. Adopting modern technology as part of its business model meant that Capital was able to capture large segments of market share across a range of different industries. Because of this, the company would end up holding a large assortment of information about its clients, including personal information and a significant amount of financial data.
Essentially what this meant was, that for a black hat hacker, Capital One and its customer data represented a target that was ripe for the picking.
The Breach
First disclosed to the public in July 2019, the breach had actually occurred several months earlier in March of the same year. A misconfigured AWS firewall had enabled the hacker to access secure data belonging to Capital One. The data was eventually extracted and made its way into the public arena and while that seems straightforward enough, there are actually more than a few interesting twists to this tale.
Firstly, while we’re saying it was a reasonably straightforward attack the reality is that a significant amount of damage was done. The information and records of over 106 million Americans were stolen in the breach and this information would eventually make it out into the wild causing further problems for those involved. Making matters worse, Capital’s slogan at the time was “What’s In Your Wallet?” a phrase that had an entirely different twist in the aftermath of a data breach.
The really interesting part though is the attacker. Rather than being a state-based or cybercrime-focused threat actor, this attack was perpetrated by a rouge, ex-Amazon employee who was able to exploit the data. Using a simple script to scan for firewall vulnerabilities, the attacker was able to identify vulnerable machines that could be exploited for their data later on.
While typically most hackers are expected to be male, this time was different as well as it would be a female that would end up being responsible for the attack. With just 5 years between the breach and this article, we won’t name the attacker directly but it’s all there on the public record for those wanting to explore the details around the breach in more detail.
The Fallout
As you’d imagine, the leaking of data held by one of the country's biggest financial providers was pretty spectacular. Not only did Capital have to deal with the issue of the data breach and apply mitigation strategies but the incident itself had left many with a significant loss of trust in the company.
For many, the reason this loss of trust occurred was because hearing about the breach didn’t actually come from Capital. More than a few people reported that the first they’d actually heard about an incident was when the media started reporting it in the news. This isn’t a great look for a financial provider, but as the Simpsons meme goes, “then it got worse”.
The social media era was in full swing by this time, and when Capital made a press release stating that “no SSN and PII was stolen” along with information that was listing stolen SSNs the internet was quick to treat it with the disdain it deserved. While the data breach was bad enough, the handling of the incident in its aftermath left much to be desired as well.
Once the rectification work was carried out, Capital was left with a bill of hundreds of millions of dollars caused by the attack.
Crime & No Punishment
While computer misuse for financial gain is usually punished pretty heavily, in this instance, the attacker ended up with a suspended sentence.
To many people outside of the cybersecurity industry, the art of a hack or data breach can often seem like a dark art. This can sometimes mean that imparting an understanding of the situation to those who might be involved with the situation can be a bit challenging. In fact, Judge Robert Lasnik was heard to quip during the trial that “he yearned for the days of a shooting as at least that was something he understood”. It’s more than fair to say that prosecuting cyber incidents can come with an additional amount of complexity that you simply wouldn’t find with more traditional cases.
Despite the case for computer misuse being pretty clear cut along with the consequences of the breach, at the end of the trial when all was said and done, the defendant was sentenced to time served along with a probationary sentence. A reasonably toothless sentence considering the consequences of the event.
Further Reading
We used some outside reference material to compile this month's historical hack. If you’d like to read more about the event or review the material yourself, you might find the following links to be useful.
Capital One - Wikipedia
Clouded Judgment: How a Former Amazon Employee Hacked Capital One
If you found this article insightful, informative, or entertaining, we kindly encourage you to show your support. Clapping for this article not only lets the author know that their work is appreciated but also helps boost its visibility to others who might benefit from it.
🌟 Enjoyed this article? Join the community! 🌟
📢 Join our OSINT Telegram channel for exclusive updates or
📢 Follow our crypto Telegram for the latest giveaways
🐦 Follow us on Twitter and
🟦 We’re now on Bluesky!
🔗 Articles we think you’ll like:
- What The Tech?! Rocket Engines
- OSINT Investigators Guide to Self Care & Resilience
✉️ Want more content like this? Sign up for email updates