D_080119_CapitalOne_Blog_1500x750

One In 100 Million or More: AWS Systems Engineer May Have Accessed Information from Multiple Companies

The hits keep on coming in the world of security breaches, and this week has been no exception. The Federal Bureau of Investigation filed charges against Paige A. Thompson, a 33-year-old former AWS engineer charged with exfiltrating data from more than 100 million Capital One customers. 

In the filing, the FBI says Capital One was notified in an email tip on July 17 that some of the acquired data was being stored on Github, an online platform with more than 36 million users. Github has also recently been in the news given serious vulnerabilities of its own, exposing the code of millions of developers.

Thompson was very open in leaving an irrefutable trail, including IP addresses linked to a VPN named IPredator, located in Cyprus, according to its website, along with MeetUp and Slack postings. While the case seems to be more about emotional challenges, according to Thompson herself, it doesn’t appear that she sold the private information but rather sought some other form of release.

Thompson’s résumé says she worked at Amazon from May 2015 to September 2016 and listed her job as a systems engineer who worked on S3 or Amazon Simple Storage Service. S3 is a platform for storing “data for millions of applications for companies all around the world.”

Based on the FBI charges, she accessed a server that had a misconfigured firewall and began downloading data in March of this year from Capital One’s storage space on Amazon’s cloud. The FBI also found a direct twitter message in which Thompson shared her plans to distribute the acquired data, including Social Security numbers, names, and birthdates.

Computer security writer Brian Krebs reviewed comments on the Slack channel Thomspon used and found a June 27 comment “listing various databases she found by hacking into improperly secured Amazon cloud instances,” he wrote on the KrebsOnSecurity security news site. “That posting suggests Erratic may also have located tens of gigabytes of data belonging to other major corporations,” he said.

Only last month, Netflix, TD Bank, and Ford were among the large enterprises whose data was exposed by three leaky Amazon S3 buckets owned by Attunity, an Israel-based company. Qlik acquired Attunity in May and now operates as a division under Qlik, replicating and migrating datasets so that they can be easily analyzed.

Three publicly accessible cloud storage buckets from data management company Attunity leaked more than a terabyte of data from its top Fortune 100 customers.

Intention and accidental data exposure continue to pose massive threats to the world’s largest enterprises, including financial institutions, the companies whom billions of consumers and businesses trust to safeguard their private information.

According to the 2019 Verizon Data Breach Investigations Report, insider-initiated incidents account for 34 percent of data breaches, with many of these being accidental exposures as opposed to malicious. While that matters, an important lesson associated with this latest incident is that enterprises need to spend more time and more resources understanding security throughout the entire stack and across the entire network, cloud and application domains – including securing every single endpoint.

To say that security is an ecosystem sport is putting it mildly. It is not enough to have only certain aspects of security covered. Gartner suggested in 2018 that 10X more money is being spent by organizations attempting to steal data or hold companies hostage than all organizations combined spend on protecting themselves from adversaries.

Dispersive’s contribution to the cybersecurity ecology is the integration of security within the network itself, with our unique and patented approach to protecting data in use, in motion and at rest.

Here’s how it works:

  • Data streams are split at the authenticated source and re-addressed with a Dispersive™ Virtual Network (DVN) header to force dispersed traffic to follow different network paths based on instructions from the Dispersive™ Virtual Network (DVN) Controller across one or more physical circuits.
  • The underlying IP networks deliver these packets to DVN Data Deflects. Placement of these Deflects influences the actual paths traversed.
  • New paths can be established (“rolled”) during the transmission enhancing performance by avoiding network attacks, link failures, and bypassing congested pathways.
  • The Data Deflects receive the packets and re-address them for the destination, and the authenticated destination reassembles the split packet streams and strips out the DVN header information before passing the original packet to the receiving application. Missing packets are re-requested to ensure guaranteed packet delivery.

Dispersive is the leading Secure SD-WAN architecture and works brilliantly with other security components (e.g., Firewall, IDS/IPS, DoS/DDoS detection) towards a zero-trust model.

As we head into the final planning phases for 2020, IT and OT teams aren’t the only groups inside enterprises like Capital One whose senses are heightened. Chief Executive Officers, Chief Information Security Officers, Chief Regulatory Officers, and entire Boards of Directors are looking at comprehensive security as risk management across everything from fines to reputational damage.

Capital One’s stock price and market valuation fell immediately after the news broke. While it is likely to recover, the bank’s customers now must opt-in for identity protection services Capital One must pay for, while AWS prepares for more investigations of their “leaky buckets” and misconfigured firewalls. These and other companies are responding defensively. Ultimately a more comprehensive cybersecurity architecture will enable companies to go on the offense, to be more aware and active, and less vulnerable to future attacks.