Capital One gets Capital Done: Hacker swipes personal info on 106 million US, Canadian credit card applicants A hacker raided Capital One's cloud storage buckets and stole personal information on 106 million credit card applicants in America and Canada. The swiped data includes 140,000 US social security numbers and 80,000 bank account numbers, we're told, as well as one million Canadian social insurance numbers, plus names, addresses …
"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right"
Read: a worthless credit monitoring service you already got for free from any number of data breaches you've been previously exposed to. The lawyers, regulators, and auditors all get their hush money whilst society moves on to the next data breach learning nothing.
Much like our other daily occurrence: mass shootings.
"I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right"
When the CEOs and others in the chain-of-command start to hear the clang of the jail doors behind them, then they will understand the word "worrry".
Capitol One has long been one of the worst usurers in the US. Maybe they could just offer total debt forgiveness to all their customers as a path towards redemption.
A good point; this organization is a den of thieves. Problem is that this whole episode squeezes their customers even harder, the firm itself will be fine.
Book recommendation: Broke, USA by Rivlin.
$0.001 question- what am I going to do with all the free credit monitoring services I've been "given?". I've got three simultaneous BS services now, from three breaches.
"I've basically strapped myself with a bomb vest, fucking dropping Capital Ones [sic] dox and admitting it."
Yeah, she done blew herself up good. Yeesh. I have no idea what the point is to crap like this. Notoriety? In the slammer? Her alias was "Erratic", and boy, does that one fit.
The pilfered data was submitted to Capital One by credit card hopefuls between 2005 and early 2019.
The real outrage here is not that the data was taken - it is that Capital One still keeps the data from 14-year old credit card applications, presumably including those where the application was refused or where the customer has cancelled the card long ago, and no longer has any business relationship with Capital One.
This is is exactly why we need tools like GDPR, and we need them agressively enforced by state regulators.
Companies get around the GDPR 6 year data retention rule in the UK by asking specific security questions relating to older data on your credit file, so that the information is then updated aka. renewed by asking a security question related to it. In essence, it then becomes 'new updated data' on you, which can be kept again for another 6 years.
Always refuse to answer any question that doesn't relate to the past 6 years, it's none of their business.
Just state the question they are asking is related to information older than 6 years.
By contacting the friend the hacker made him/her complicit and forced the friend into a rather untenable position. Aside from the legal/ethical dilemma, the friend could have been rather certain that the FBI would come knocking sooner rather than later. Using her own name for the GitHub account was a sure sign that she wouldn't be free long and made it likely that she left other clues.
Forward to Oct 2022 -
Judge Lasnik, upon sentencing Paige Thompson to probation, said he's putting his reputation on the line that will not commit any further crimes. “If that does happen, I’ll admit my mistake. I believe in her, and believe she will prove this is the right sentence.”
I would say Paige being so "forthright" with her friend, and Paige's friend doing the right thing immediately left Paige better off than just about any other outcome - like ripping off the bandaid.
Clearly, there is more to this story than we are being told. If her motivations were notoriety, she could have practiced responsible disclosure. Unless her motivation was spite, becasue she was the one responsible for the misconfigured systems and/or was fired from AWS. Photos of her from some articles, she looks like she might be a tweaker and may have some prior experience in the custody of the state. Perhaps a product of a prison educational program.
Meanwhile, the real criminals continue to get away with it. Namely the predatory CC companies and WS.
Haven't you heard? The CLOUD has won. A LOT of large corporations in this country (US) are moving their stuff to these big providers. Even better, they are letting their developers be in charge of infrastructure. I'm sure that nothing ever goes wrong with those plans.
Developers have long been at war with engineers, operations, support, security, and so forth. The unfortunate reality is that they have, in many cases, won the war.
Developers are now responsible for all aspects, including concept, design, development, testing, networking, security, application delivery, and break/fix.
While the landscape has become much more complex, developers have finally won the recognition that they can, in fact, walk on water and master all disciplines.
Sure, there are some checks and balances, but in the end the developers reign supreme.
Ah The Cloud .. What am I missing here?
Sir, You are missing the fact that Cloud or No Cloud, securing data is important and poor data management practices have consequences. Accessing data through vulnerabilities in misconstrued Firewalls is a problem for on-premise systems as well as Cloud.
My deep concern is that there is a lack of understanding of the "Shared Responsibility Model". The big Cloud providers are doing such a good job of resiliency and security for the infrastructure components they actually manage and control that there is a general sense of complacency and slackness from the Users/Admins who have to step up and manage the layers of the stack they control like Firewall rules.
Important points made by commenters here, especially how this incident proves the desperate need for a GDPR anti-data hoarding regime in North America. Not hopeful the sheeple will take time out from the clown show to react though. Even those inclined to rail against establishment don't seem to see privacy and data protection as a priority. On the technical side, I keep wondering how so many companies keep f*ing up AWS security. It's simply not that hard to get it wrong. Is it that some of the drones they engage to do the work are morons? Or is it that too many share their employer's penchant for corruption? In any event, the logical response would be a massive push for tech education and systems auditing, but it's not clear that will happen given the prevailing culture of reckless greed.
Security is very easy to get wrong if you don't understand security. It's still easy to get wrong even if you do understand security, you just realize your mistakes more quickly and usually fix them. The cloud doesn't change that but it least it makes your data just one step closer to those who would like to get it and exploit it.
Agreed. The thing is, humans (and machines programmed by machines) are fallible. Problem is that most tech orgs have been running with such a shallow bench the last decade or more that there's almost never any review of what an individual (well-meaning) engineer has done/is doing/will do _by people who would know a mistake when they see it_.
As I read the court document I was wondering where the breach was. It does look like the hacker used code and tools they had within AWS to gather the credentials for the S3 bucket. This opens another Pandoras box regarding security in the cloud and it isn't about whether organisations get their own security right, its about whether you can ever completely trust people in the cloud provider teams not to run tools that gather your credentials and then use those credentials to steal your data.
I find myself repeating time after time that you cannot guarantee the security of your data if you are trusting a third party not to go peeking into your files. Moving to the cloud means you have to trust that the vendor has no secret back doors or master keys to your data. I simply don't believe that level of trust can ever be established once you data is off your premises and you hand over some degree of control to someone you didn't hire, didn't vet and can't fire.
Hence the quick denial by AWS. It is core to their strategy to retain the trust.
Ironically, Capitol One send mountains of junk mail, which people have to discard without opening, wasting resources and time (in very small increments, but that does not make it any less irresponsible).
The knee jerk reaction from the less technical masses are prevailing directed at punishing "erratic" - their association to "their" data makes them feel personally victimized.
This was Capital One's data, and supporting punishment of this woman is an indirect sanction of the rights of the corporate scum of the earth over individuals,their privacy and even the environment.
We are severely under appreciating the damage usury and its incumbent distortion of value - and values, cause.
I doubt the USA will ever have something similar to the GDPR due to the federal political system. Too many ignorant politicians who have too many constituents and donors to please. Besides, the feds are much too interested in the collected data to jeopardize its existence.
If states like California pass laws that are too strong the feds will step in and outlaw those. Same thing happened with the spam legislation back in the day.
"...this incident proves the desperate need for a GDPR anti-data hoarding regime in North America. Not hopeful the sheeple will take time out from the clown show to react though. Even those inclined to rail against establishment don't seem to see privacy and data protection as a priority. "
I think you will find a fair number of us actually DO see privacy and data protection as a priority. The problem is that the politicians who have the means to fix this won't, because they remain in power thanks to the dirty money of the corporations which collect, hoard, and misuse this data.
...particularly in Canada - Canadian organizations and individual directors and officers of such organizations may be found guilty of an offence and fined up to $100,000 (CAD) if they knowingly fail to report information security breaches to the Privacy Commissioner of Canada (Office of the Privacy Commissioner - OPC), they have therefore avoided this, however the OPC can also only recommend changes and has no power to issue fines - so Capital One will get away with it from that perspective.
However it has been very stormy here in Toronto the last couple of days, my wife said last night "is that rain I can hear outside?", I said "no it's just a bunch of class-action lawyers salivating...".
Let's face it - if your personal details have not yet been splashed over the web by one breach or another, they are going to be. Large organizations can no more keep data secure than an infant can keep a diaper dry. It is time to recognize this and move on.
Security by obscurity no longer works. Just because someone has the right social security number, passport details etc, etc, does not mean that this person is who he says he is. The system has to change. Banks have to take responsibility for issuing debt to the wrong people and do better due diligence. If that makes applying for credit a more difficult task, this is probably a good thing.
I found the Encryption FAQ on their press release to be a little disingenuous;
"We encrypt our data as a standard. Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data.
However, it is also our practice to tokenize select data fields, most notably Social Security numbers and account numbers. Tokenization involves the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data. Tokenized data remained protected."
To me, it would seem that other than selective tokenisation, they are just using some form of full disk or transparent encryption of data at rest.
Great if someone can walk into a data center and walk out with the disk, but otherwise fallible to any legitimate command that can coerce the data off the disk.
Perhaps if they had looked at encrypting/decrypting in application in conjunction with HSMs or similar, then the risk of such a clear-text exposure could have been more reduced?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
