Hacking Capital One and inviting arrest

On 29 July it was reported that Capital One had been hit by a cyber-attack, resulting in the theft of data belonging to 106 million of its customers in the United States and Canada.

Virginia-based Capital One is the third largest credit card issuer in the US: with the number of people impacted by the breach, this is one of the biggest data heists ever.

The stolen information included details from tens of millions of credit card applications filed with Capital One between 2005 and 2019: it comprised customers’ home addresses, phone numbers, email addresses, credit scores, and other financial details.

Capital One issued a statement about the attacks, confirming that the theft included:

About 140,000 Social Security numbers of our credit card customers
• About 80,000 linked bank account numbers of our secured credit card customers

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.

At the same time as the news of the data theft was disclosed, it was announced that the alleged perpetrator, Paige Thompson, had been arrested. And this is where this incident gets even more interesting. For reasons known only to herself, Thompson had made no attempts to cover her tracks.

On 21 April this year, having accessed and harvested the data, apparently by exploiting a misconfiguration in Capital One’s Amazon Web Services (AWS) server, Thompson proceeded to post her haul on her GitHub account – the same account that contained her cv with full name and contact addresses, along with employment details.

She was apprehended following a tip-off from a GitHub user, who reported her to Capital One after she had apparently ‘boasted’ about her hacking attack on a forum under the name ‘Erratic’. In fact, this is the only reason Capital One was alerted to the compromise: the company had failed to notice either the misconfigured server or the theft of the data.

As Thompson had previously worked at AWS, she was described as an insider threat. However, many security researchers spend their time looking for misconfigured servers and exposed data. Every week we read of instances where data has been left publicly accessible.

Just recently, for instance, an unsecured Elasticsearch database exposed some 134 million documents with 40 GB worth of information on around 300,000 Honda employees.

And this week it was announced that US movie ticket subscription service MoviePass had left a huge database containing more than 160 million records exposed online without password protection. The data included credit card numbers and expiry dates, billing information, names and postal addresses. A review found that enough information had been exposed to enable fraudulent card purchases to be made.

The disclosure of the Capital One breach was sufficiently worrying for both Republican and Democrat politicians in the US to immediately issue a demand for further information from Amazon about their cloud security services.

Meanwhile, Capital One is predictably facing various hugely expensive lawsuits over the breach. What is particularly interesting, however, is that legal proceedings have also been launched against GitHub which, it is alleged, should have been aware that the data had been posted on its site since April and should therefore have taken appropriate action and removed it.

A 28-page lawsuit has been filed in the US District Court for the Northern District of California claiming that GitHub "actively encourages (at least) friendly hacking". It continues: "GitHub had an obligation, under California law, to keep off (or to remove from) its site Social Security numbers and other Personal Information."

Ignoring the question as to what the concept of ‘friendly hacking’ might encompass, the lawsuit presents a possibly fascinating legal argument concerning whether or not a third-party can be held responsible for the information posted by a user.

One other point worth noting is that there could be implications for Capital One under the EU’s General Data Protection Regulation (GDPR). Although it was reported that only US and Canadian customers were affected by the data compromise, any EU citizen could hold an account with the company: therefore, it will be subject to the rules and any ensuing fines.

More recently, it was reported that Thompson may also have hacked and stolen data from 30 other organisations. They have not been identified, but the US Attorney’s Office in Seattle claimed that information from 30 unnamed, educational organisations and companies had been found on servers in her bedroom.

However, a letter from AWS has since stated that it was “not aware of any breaches at other “noteworthy” customers", cautioning that there “may have been small numbers of these that haven’t been escalated to us”.

Thompson’s lawyers are now arguing for her to be released from jail; she is described as transgender and in need of better access to medical help for various psychiatric problems she claims to be suffering from. Whatever the outcome of her trial, there is as yet no evidence that she has attempted to profit in any way from her crime.

More information about the reasons for her actions will no doubt continue to emerge as investigations and court proceedings progress. At the same time, both AWS and Capital One will certainly come under further scrutiny from cyber security analysts and government officials.