Amazon's cloud was at the heart of the big Capital One hack, even though it doesn't seem to be at fault

  • On Monday evening, federal prosecutors said a tech worker named Paige A. Thompson had been charged with computer fraud and abuse on allegations that she stole data from millions of Capital One customers.
  • The criminal complaint said Thompson took advantage of a “firewall misconfiguration” that gave her access to data stored in a Capital One cloud server.
  • While the complaint doesn’t name the cloud provider at the heart of the matter, Amazon confirmed to Bloomberg that it was Amazon Web Services. Capital One has been a major AWS customer since at least 2016.
  • Thompson was an Amazon Web Services employee until 2016, the company told Bloomberg.
  • Capital One said in its initial statement that the cloud provider wasn’t at fault, and the criminal complaint seems to back up that assertion.
  • The New York Times also reported that “Amazon said it had found no evidence that its underlying cloud services were compromised.”
  • This seemed to be an error in IT setup and management and not a flaw with AWS itself.
  • Visit Business Insider’s homepage for more stories.

On Monday evening, federal prosecutors said a tech worker named Paige A. Thompson had been charged with computer fraud and abuse on allegations that she stole data from millions of Capital One customers.

In the complaint, we get some technical details about how investigators say it went down: A “firewall misconfiguration” left one of Capital One’s cloud servers vulnerable, allowing Thompson to send commands that let her access the sensitive data in question.

The complaint doesn’t name the cloud provider used by Capital One in this instance, referring to it only as “Cloud Computing Company.” However, a screenshot of a Slack conversation included in the complaint appears to show Thompson referring to “s3,” the name of Amazon Web Services’ cloud-storage product for developers.

A representative for Amazon Web Services confirmed to Bloomberg that AWS had stored the data. The New York Times reported that “Amazon said it had found no evidence that its underlying cloud services were compromised.”

In 2016, Capital One signed a key deal to make Amazon Web Services its “predominant” cloud-computing provider.

The complaint alleges that Thompson was able to use that “misconfiguration” to send a command that allowed her to obtain security credentials for a specific account, which she was able to use to access “certain of Capital One’s folders at the Cloud Computing Company.”

Also of note is that Thompson was a former Amazon Web Services employee, an Amazon representative confirmed to Bloomberg. A résumé seen by Business Insider posted on what appears to be Thompson’s personal account on GitLab, a popular code-sharing service, seems to show that Thompson worked on the S3 service from 2015 to 2016.

This checks out with the complaint, which said Thompson was a former employee of the same “Cloud Computing Company” in the Capital One breach and worked there during the same time span.

However, the complaint doesn’t seem to fault Amazon Web Services – and neither, it appears, does Capital One.

“This type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data center environments,” Capital One said in a press release on the data breach. “The speed with which we were able to diagnose and fix this vulnerability, and determine its impact, was enabled by our cloud operating model.”

In other words, Capital One appears to be saying, this didn’t stem from any inherent flaw or vulnerability in the cloud. Furthermore, it has been only 10 days since the hack was discovered, Capital One said; in its statement, Capital One credits its use of the cloud for the ability to find and fix the problem.

There is plenty of precedent here, though rarely so dramatic. In 2018, Tesla acknowledged that hackers had broken into its Amazon Web Services account and used it to mine cryptocurrency. The hack was discovered when the security firm RedLock found a Tesla IT administrative console that didn’t have a password.

“Given the immaturity of cloud security programs today, we anticipate this type of cybercrime to increase in scale and velocity,” RedLock’s chief technology officer, Gaurav Kumar, told Business Insider at the time.

Amazon did not immediately respond to a request for comment.

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.