Misconfiguration vulnerability the culprit for Capital One data loss - WSJ

A configuration vulnerability in Amazon's cloud metadata service led to the theft of 106 million Capital One Financial records, according to a story by The Wall Street Journal.

The Wall Street Journal reported (subscription required) that Paige A. Thompson, a former employee of Amazon's cloud-computing unit, allegedly was able to exploit a vulnerability in the cloud that cybersecurity experts had previously warned about.

Thompson was arrested on July 29, and remains in jail while awaiting a bail hearing scheduled for Aug. 15. The WSJ said it reviewed hundreds of Thompson's online messages, and interviewed people who were familiar with the investigation.

In her online messages, Thompson claimed she used a trick in the cloud to uncover the credentials she needed to access customers' records. Security professionals have for years warned about the configuration vulnerability that led to the data loss. Thompson was able tap into Amazon's cloud metadata service that holds the credentials and other data needed to manage servers in the cloud, according to The WSJ.

The first step of Thompson's alleged hack occurred in March, according to her online postings. Thompson ran a scan of the internet to find vulnerable computers that could give her access to companies' internal networks.

With Capital One, Thompson found a computer managing communications between the company's cloud and the public internet was misconfigured, and had weak security settings.

Through that "door," Thompson was able to request the necessary credentials to find and read Capital One's cloud-stored data from a system, which included the metadata service, on the Amazon cloud where information was stored, according to The WSJ's sources. Once Thompson found the data, she was able to download it without triggering any alerts.

Amazon said in a statement that none of its services, including the metadata service, were the underlying cause of the hack, and that it offers monitoring tools that are designed to detect this type of break-in.

An FBI affidavit said a Capital One error enabled the breach, while Capital One said it has fixed the configuration problem.

While Thompson started her hacking on March 12, Capital One didn't find out about the hacking until 127 days later after being tipped off by an outside researcher according to The WSJ.

The WSJ story said misconfigured servers enabling outsiders to access sensitive metadata wasn't limited to Amazon Web Services, as a researcher also found problems with systems running on Microsoft's cloud.

The WSJ story said it was unclear why none of the alerting tools appeared to have triggered alarms at Capital One, and that the incident also highlighted concerns related to cloud computing. 

RELATED: Container and Kubernetes use ramps up, but security still a concern - report

A recent report by StackRox found that misconfigurations and accidental exposures were the biggest container security concerns.