Cyber Threat Bulletin - Former AWS Engineer Arrested for Stealing Capital One Customer Data - July 3
Former AWS Engineer Arrested for Stealing Capital One Customer Data
The U.S. Federal Bureau of Investigation (FBI) recently arrested a former Amazon Web Services (AWS) engineer accusing her of breaching an Amazon Simple Storage Service (S3) instance operated by U.S.-based financial institution Capital One. According to the FBI, the attacker exploited a misconfiguration in a Capital One-controlled firewall to obtain the credentials of an escalated privilege account. These illicitly obtained credentials allowed the attacker to run various reconnaissance and exfiltration commands. Digital artifacts confirmed the threat actor may have been able to access more than 700 folders or S3 buckets during the breach. Breached information included the personally identifiable information (PII) of 106 million card customers’ and applicants’ names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Capital One collected the information from consumers and small businesses at the time they applied for a Capital One credit card product from 2005 through early 2019. The data also included 140,000 Social Security numbers, and the bank account numbers of approximately 80,000 customers.
Certain reports imply the accused leveraged web application firewall (WAF) credentials from her former AWS employer to escalate privileges. While we agree the digital artifacts and evidence imply WAF credentials initially facilitated the privilege escalation and access, we have seen no evidence to confirm the WAF credentials were obtained from, maintained by, or retained by the accused after employment with, AWS. AWS terms of service stipulate the customer, in this case Capital One, is solely responsible for security and appropriate configuration of the AWS buckets and associated infrastructure. Secondary reporting, none of which has been confirmed in the same manner as the Capital One breach, implies numerous other organizations were impacted by the same individual during the same timeframe. Based on artifact filenames alone, other affected organizations and exfiltrated data may include 2.3GB of data from Ford Motor Company, 25GB from Apperian, 38GB from Global Garner, and 204KB from Infoblox, among others. There is no indication GM data was affected, and we are currently working to obtain additional details of the firewall misconfiguration that led to this and potentially other breaches.