Massive Capital One Data Breach Ensnares AWS But Amazon Denies Blame For Epic Security Fail

Capital One
Go ahead and cue the inevitable 'What's in your wallet?' jokes. One potential answer to that question, by the way, is a hacker's fingers. Capital One says an "outside individual" gained unauthorized access and obtained various personal information linked to both existing credit card customers, and people who had applied for a credit card.

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Richard D. Fairbank, Chairman and CEO. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

Capital One blamed the breach on a "configuration vulnerability" that it "immediately fixed," though not before the culprit could swipe around 140,000 Social Security numbers and 80,000 linked bank account numbers belonging to customers of secured credit cards.

The culprit was also able to steal customer status data (credit scores, credit limits, balances, payment history, and contact information), and fragments of transaction data from a total of 23 days from 2016-2018, Capital One said.

As many companies are, Capital One is an Amazon Web Services (AWS) customer. Amazon, however, quickly sought to distance itself from any culpability in the hack.

"AWS was not compromised in any way and functioned as designed. The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud," an AWS spokesperson told Newsweek.

In other words, Capital One screwed up, rather than AWS being at fault, according to Amazon's statement on the matter. Amazon also notes on its website that customers "main full control" of their content and "responsibility for configured access to AWS services and resources."

None of it comes as any consolation to the approximately 100 million individuals in the US affected by the breach, plus 6 million more in Canada. However, it has been reported that the Federal Bureau of Investigation (FBI) has arrested a 33-year-old suspect, Paige A. Thompson, in relation to the hack.

According to the criminal complaint, Thompson is a former Amazon employee who had threatened to distribute data from Capital One's database.

Computer fraud and abuse is punishable by up to 5 years in prison and a $250,000 fine, the US Department of Justice says.

Thumbnail/Top Image Source: Phillip Pessar (via Flickr)