Capital One Leak Caused By Insufficient Corporate Surveillance of Cloud Security
October 2019 by HEFICED
Earlier this year, the US credit card provider Capital One suffered one of the most jarring data leaks of the last decade. Sensitive financial data from over 106 million customers had been stolen and made freely accessible on the web for weeks. Now, recent analyses are showing how the massive corporate structures of third-party contractor Amazon may have caused problems with shared data infrastructure, risk assessment and awareness of potential threats, as well as security upgrades.
“The entire story is quite baffling,” comments Vincentas Grinius, CEO of Heficed, a provider of dedicated server solutions. “Very little hacking was actually involved, the alleged criminal exploited insider knowledge that was not revised or updated for years, and the crime was only noticed after she posted about it repeatedly on the internet.”
New reports now revealed that the alleged hacker Paige Thompson had previously worked as a systems engineer at Amazon.com. Aside from trading goods, the retail giant also offers its infrastructure for cloud computing solutions, in the case of Capital One for data storage. Thompson quit the job almost three years ago according to her Linkedin profile.
It seems that she gained inside knowledge during her time with Amazon that allowed her to access the cloud data storage, not only after she left the company, but even earlier this year still. This means that there were no substantial upgrades made to the Amazon cloud’s inner workings during that time.
Cloud servers have distinct advantages, but also suffer from disadvantages, particularly in a large-scale corporate context. Specifically, companies of Amazon’s size often cannot offer dedicated servers, which alleviate many of those disadvantages. “Smaller companies can offer dedicated servers, meaning that they are used by one client only and can be completely customized according to the client’s wishes. Not only that, companies of our size create a personal rapport with the client, which is practically non-existent when talking about huge providers,” Grinius adds.
The recent reports further revealed that Thompson announced her crime before the fact. She was avidly active on numerous message boards and even posted on Twitter about a number of companies whose data she thought was in danger of exposure due to faulty Amazon technology. By the time she made those claims, she had already had access to the Capital One customer data in question for three months.
This boasting as well as the security flaws that must clearly have existed simply went under the radar. “Perhaps it is simply impossible for an organisation of Amazon’s size to pay attention to these seemingly small details, but the outcome has shown how important such oversight is,” comments Grinius. “Niche providers cannot afford any carelessness, because the web hosting business is our lifeblood. Amazon, on the other hand, has many areas of operation it can survive on.”
The Capital One case shows the dangers of using shared servers that are in the hands of very large corporations more than anything.
On the other hand, the maintenance of dedicated client servers requires a level of detail orientation that large corporate providers often cannot provide. “A dedicated server would have been constantly monitored for potential security breaches. Someone would have picked up on the leaks in the cloud, or on the threats of exposing the client’s data on twitter, or at the very latest on the actual user data being posted on Github,” concludes Grinius. “In this case, Capital One only learned of the breach when an unrelated user sent an email alerting them of their data being openly accessible.” Along the entire process, Amazon remained unaware.