Transgender software engineer Paige Thompson - a former employee of Amazon's cloud division, which hosts Capital One's data - is accused of carrying out the hack. Photo / Twitter
In 2015, Capital One's chief information officer, Rob Alexander, promoted the steps the bank had taken to protect its financial data. In his keynote address at an Amazon Web Services conference, Alexander said Capital One had looked to AWS to meet customer demand, cut back on its data centers and boost security, especially since "the financial services industry attracts some of the worst cybercriminals."
Four years later, Capital One was hacked in one of the largest-ever data breaches of a big financial institution. And in the end, the bank's embrace of cloud services couldn't save roughly 100 million card customers and applicants from having their data compromised.
Instead, federal agents in Seattle arrested 33-year-old transgender software engineer Paige Thompson, who is accused of breaking through a misconfigured Capital One firewall. The hole meant a hacker could reach the server where Capital One was storing its information and get into customer data.
Amazon told The New York Times that its cloud had stored the stolen Capital One data. But the bank said that "this type of vulnerability is not specific to the cloud," adding that it was able to quickly diagnose and fix the issue because of its "cloud operating model." Amazon told the Times that it found no evidence that its underlying cloud services were compromised.
Amazon did not respond to a request for comment Tuesday morning. (Amazon founder and chief executive Jeff Bezos owns The Washington Post.)
On Monday, the Virginia-based bank said a hacker had accessed roughly 100 million credit card applications. Federal prosecutors say the breach also included 140,000 Social Security numbers and 80,000 bank account numbers, culled from tens of millions of credit card applications. Capital One said the data came from credit card applications that customers and small businesses submitted from 2005 to early 2019. The bank said it expects the cost to the company to range from $100 million to $150 million in the near term.
The hack is one of the most severe to affect the financial services industry. Two years ago, Equifax announced that hackers had stolen the personal information of 147 million people. Last week, the company reached a $700 million settlement with U.S. regulators over that breach.
Capital One has been a leading advocate in the banking world for cloud services. The company is migrating more of its applications and data to the cloud, Bloomberg reported, and plans to be done with its data centers by the end of 2020, in part to reduce costs. Other financial firms have been more wary of cloud services, largely for security reasons.
Cloud-hosting services like AWS are especially attractive to companies looking to cut costs, said Jonathan Stone, chief technology officer for the IT consulting firm Kelser. Building and running data centers carries a hefty price tag, often tens of millions of dollars. But with a third-party service, "you can be an expert in your business and not necessarily have to know how all the plumbing works," Stone said.
But that assurance didn't protect Capital One from its own firewall issue that federal officials say allowed Thompson to breakthrough. Thompson was an AWS employee who last worked at Amazon in 2016, a company spokesman told Bloomberg. The spokesman noted that the breach Capital One described did not require insider knowledge.
Before the hack, Capital One set up an email address for tipsters to raise alarms about potential holes in the company's systems. According to federal prosecutors, the bank received one email suggesting leaked data had shown up on GitHub, a site for collaborating on software code.
The posts linked to her full name, email address and other online records belonging to her, court documents show. Thompson used the online nickname "erratic" and openly talked about her hacks, federal prosecutors said.
"I've basically strapped myself with a bomb vest, f------ dropping capitol ones dox and admitting it," Thompson allegedly wrote under the alias in a June 18 Twitter message.
Stone said that while Capital One missed the firewall vulnerability on its own, the bank moved quickly once it did. That certainly was helped by the fact that the hacker allegedly left key identifying information out in the open, Stone said.
But the hack also raises questions about how companies handle and store historical data, like credit card applications going back more than a decade.
"The more stuff you have laying around," Stone said, "the more chance you have of something bad happening with it."