Capital One didn’t leak private data – someone else did – and that’s the problem

The sheer numbers in the Capital One data breach are bad – with personal details on over 106 million individuals stolen – but the real issues behind the data leak are much more worrisome.

The breached data – around 140,000 Social Security numbers and 80,000 bank account numbers on U.S. consumers, and 1 million Social Insurance Numbers for Canadian credit card customers – was taken from Capital One, a major American credit card issuer. But it wasn’t taken by one of their employees or from their own servers. The private data was allegedly taken by Paige A. Thompson while she worked at a company providing them with data storage. According to KrebsonSecurity, this cloud storage provider was most likely Amazon.

An erratic approach can cause big damage

The data theft appears to be part of Thompson’s mental instability. In addition to taking the data, Thompson also posted it on the open Github software development platform. She also talked about her data handling exploits on Twitter under the “Erratic” handle. In addition, she formed a public meetup where she invited others to join her on a Slack channel to talk about the data and her activities. This posting of details about the data and her activities led to an email tip being sent to Capital One about the data theft and her subsequent arrest. Currently it appears that the stolen data has not been leaked further or that it is being used for any illegal or fraudulent activities.

Your private data is only as secure as the weakest link

Thompson’s online postings have raised the nightmare scenario that she took or had access to gigabytes of other private data as she details prying into various corporate accounts. However, it is not yet clear if this fear is real or just her online boasting. More details are expected to come out in the coming weeks.

The Capital One incident raises a lot of questions

As with a major IT crime, the incident has raised more questions than answers. Here are the primary ones:

1. Was Thompson a talented but unstable “Lone Wolf” type individual?

It certainly looks like that. Thompson clearly had some issues as she stole the data. However, her progressive leaking of activity details on Twitter, Github, and Slack also limited the scope of damage as she called attention to herself. Without this self-damaging trait – and without an apparent desire to monetize the accessible data – the situation would have been much worse.

2. What could Capital One or Amazon have done to better secure the data?

Capital One itself mentions a “configuration vulnerability” in its press release on the topic – so something was clearly not done 100% correctly.  Info on this will come out over time. No information on Amazon’s employee screening processes have come out.

3. What techniques and strategies did  Thompson use to gain access to this data?

Nobody really knows for sure. Thompson did review some of her activities online. Krebsonsecurity readers and contributors at Ycombinator have pointed out a slew of potential issues which could have resulted in Thompson getting access to private information. Again, more details will come over time.

Is my data safe in the cloud?

Good question with no clear answer. In a nutshell, your data is only as secure as all of the people and all of the processes that touch it. This breach and the growing list of other leaks from cloud storage sites should make you question the security of your data.

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.