Quantify Cyber Risk Now

header ads

Capital One breach explained | Lucideus

The hack on Capital One, a 45B$ Bank, exposes the state of cybersecurity across the financial services industry. Capital One ranks 10th on the list of largest banks in the United States by assets and spends upwards of a billion dollars on IT. With this breach, one out of every three citizens in the United States have been affected. The data breach has not only resulted in loss in reputation, but has significantly impacted the business. Capital One's stock was down 4% after hours late Monday night. 

The accused, Paige Thompson, intruded the servers contracted by Capital One from a third party cloud services provider between March 2019 - July 2019.

Capital One supports its services, in part, by renting or contracting for computer services provided by the AWS.

Where was the data stored: Capital One stores credit card application and other information, across multiple states located outside the State of Washington. Deposits of Capital One are insured by the Federal Deposit Insurance Corporation.

Considering Capital One is a large financial institute, computers on which it stores credit card applications are protected as per the terms defined in 18.U.S.C. 1030(c).

The Havoc

Capital one maintains an email address through which it solicits disclosures of actual or potential vulnerabilities in its customer systems and it also helps Capital One learn of, and attempt to avert breaches in its systems. Bug  bounty hunters are also send emails to this address.

Alarm Day : On July 17, 2019 at 1:25AM, an individual who was previously unknown to Capital one sent an email to this address.

The individual's e-mail highlighted that Capital One's leaked data was available on Github, and provided the address to the GitHub file containing this leaked data.

Capital One on RED Alert: After receiving this information Capital One examined the Github file, which was timestamped as April 21,2019 (aka file name April 21 File"). Capital One determined that the April 21 file contained the IP address for a specific server.

A Firewall misconfiguration permitted commands to reach and be executed by that server, which enabled access to folders or buckets of data in Capital One's Storage space at Amazon Web Services (AWS).

The Finding:
Capital One determined that the April 21 file contained code of three commands, as well as a list of more than 700 folders or buckets of data.

First Command that was executed: This command was executed to obtain security credentials of an account named ****-WAF-Role, that enabled access to certain folders of Capital One on the cloud computing company(AWS).

Second Command: Second Command was the List Bucket Command: When executed, the ****-WAF-Role account displayed the the names of folders or buckets of data in Capital One's storage space.

Third Command Executed: Sync Command : Once this command was executed, the ****-WAF-Role account could extract or copy data from those folders or buckets in Capital One's storage space for which the ****-WAF-Role account had the requisite permissions.

Capital One tested the above three commands in the April 21 file, and confirmed that commands did, in fact function to obtain Capital One's Credentials.

Capital One also reported that its computer logs reflect the fact that the List Buckets command was executed on April 21,2019. Additionally,  the time stamp in Capital One's logs matched the timestamp in the April File.

According the Capital One, its' logs show a number of connections or attempted connections to Capital One's server for TOR exit nodes, and a number of connections from the IP address beginning with 46.246.

As per Logs of Capital One

March 12, 2019 :
IP address attempted to access Capital One's data. This IP was controlled by Ipredator, a company that provides Virtual Private Network (VPN) Services.

March 22,2019 : ****-WAF-Role account was used to execute the LIST Buckets Command several times. These commands were executed from an IP address, which we believe are TOR exit nodes. As per Capital One, the ****-WAF-Role account does not in the ordinary course of business, invoke the List Buckets command.

March 22, 2019: Once again, the account was used to execute the Sync Command multiple times to obtain data certaindata folders of buckets, including files that contained credit card application data with IP which was, belonging to the VPN provider mentioned above

March 22, 2019 : One file was copied from Capital One's folder or buckets named *****c000.snappy.parquet, and this was the only time ****-WAF-Role account accessed the SNappy Parquet file between January 1, 2019 to July 20, 2019.


According to Capital one, the dump of buckers includeapproximately 120,000 Social Security Numbers and 77,000 bank account Numbers. Although some of the information on those applications such as (Social Security Numbers has been tokenised or encrypted other information including applicant' name , address, Date of Birth, and information regarding their credit history had not been tokenised.

Post a comment