Capital One data breach affected over 106 million people, 140,000 Social Security numbers, 80,000 bank account numbers,1,000,000 Social Insurance Numbers … The breach had taken place about 4 months back however it took some time before the breach was realised, in-fact it took an external tip for Capital One to realise something had happened. The legal case built was quite interesting.
It resulted in the loss of names, addresses, postal codes, phone numbers, email addresses, dates of birth, self-reported incomes, credit scores, credit limits, balances, payment history and contact records from 2005 to 2019
Why It Happened ?
17th July 2019 – Capital One got an email stating their data was on Github. On investigation, it was found Capital One’s data had been accessed by compromising their cloud environment. From what is known, the attack exploited a public facing application which guarded an AWS.
According to the indictment, “A firewall misconfiguration permitted commands to reach and be executed by that server”.
Below is the possible attack journey :
- The objects of exploit had a vulnerable web application and a remote access server exposed to the internet
- Post entry, the attacker gained access to beneficial roles (unauthorized access)
- Next, the attacker tries to access the S3 buckets with the present role access and it gave access to 700 buckets
What Can You Learn ?
The above attack used various loopholes at various stages and we can list a few mitigation steps from it.
- Continuous monitoring of cloud environment assets and monitoring patching and updation schedules
- IAM – Role access management program
- AWS Cloudtrail log maintenance and frequent checks of unauthorized access