How a Hacker Broke into the Capital One Servers

2020 Cybersecurity guide for Pittsburgh business: digital security, hackers and phishing
September 4, 2019
Show all

How a Hacker Broke into the Capital One Servers

 

What if you are a larger organization that has years of services and thousands, if not millions of customers?

Yep, data breaches can happen there, too.

Let’s look at the data breach of Capital One, and see what likely happened, and how you can avoid something similar.

Paige Thompson was able to break into Capital One servers and gain access to over 140,000 social security numbers, 1,000,000 Canadian Social Insurance numbers, and over 80,000 bank account numbers and information. This includes an untold amount of user’s names, addresses, banking history, credit history and more.

Capital One is no small fish.

Founded in 1994 as a spinoff of Signet Financial’s credit card division, Oakstone Financial, Capital One is the 10th largest bank in the U.S. based on assets. Capital One is also the second-largest auto finance company, and the 5th largest credit card processor by purchase volume.

Like I said, Capital One is no small fish.

Even with their size, and rules regarding PCI-DSS compliance, and their endless ability to hire the right people and securing their systems the right way, their security still failed.

How did this happen?

Miss Thompson simply exploited a misconfigured firewall. She began by knocking on doors – virtually, of course. When she saw a door that was left open, she then opened it.

The “door” was a server operating between Capital One’s cloud and its public website. Once she could access it, she began requesting some metadata (data about data). She was then able to claim keys used for secure access to secure systems.

Basically, Capital One had shut their front door, but never locked it. The hacker dug through drawers until she found keys to the safe and then simply unlocked the safe and emptied it out.

While Ms. Thompson was arrested on July 29th, her hacking attempts directed at Capital One started in March and lasted a few weeks. Capital One, during that span, continued business as normal, because they just didn’t know of the intrusion because it never looked like one.

Capital One, has no room to defend itself.

Here’s why…

Capital One’s data breach could have been avoided. The exploited firewall software was a known vulnerability that Capital One chose not to fully fix.

It’s the simple fixes that people overlook that can cause the most damage. Many times, it’s due to the “oh, that will never happen to me” mindset. Now, because of it, Capital One is the subject of many different lawsuits and the data breach (that could have been avoided) is now costing the company 100’s of millions of dollars, just in 2019.