I’m sure by now that you’ve seen news, and hot takes on the data breach of Capital One.
Many of the articles I’ve seen about it have been focused on the fact that they went from finding the breach on July 19, to an arrest on July 29, which is pretty amazing really. But, I’m not ready to start proclaiming Capital One as the new standard bearer for breach response just yet.
First off, the breach apparently first started in March, and the data dump that was found was dated April 21. Capital One didn’t know anything about it until someone told them about it:
On July 17, a tipster wrote to a Capital One security hotline, warning that some of the bank’s data appeared to have been “leaked,” the criminal complaint said.
After that, apparently it was fairly easy to track down the hacker, because she bragged about it online.
The suspect, Paige Thompson, 33, left a trail online for investigators to follow as she boasted about the hacking, according to court documents in Seattle, where she was arrested and charged with one count of computer fraud and abuse.
There’s more details elsewhere, including the fact that the data was stored under an account with her name on it, that she bragged about it using the handle “erratic”, which she also used to communicate details about her self, including a pic of her cat’s vet bill. She practically gave the FBI a map to the data, and her identity. Great that they were able to follow it, but let’s not talk about how great the cyber defense was here.
So, while yes, she was a former Amazon employee who worked with AWS, she doesn’t appear to be the brightest hacker out there.
And yet, she was still able to easily make off with “140,000 Social Security numbers and 80,000 bank account numbers.”
All because someone at Capital One built an application using AWS and left a firewall misconfigured.
Far from a victory for cybersecurity folks, this is actually kind of embarrassing. We are failing when it comes to protecting data, and this just makes that more obvious.