SEATTLE–The “configuration vulnerability” that allowed a woman to breach Capital One Financial Corp. and steal more than 106 million records has been known for years and hundreds of other companies may be similarly vulnerable, according to a new report.
As CUToday.info reported here, Paige A. Thompson, a former employee at Amazon.com’s cloud computing unit, has been arrested for stealing data as part of the massive breach of Capital One.
According to the company, Thompson was able to take advantage of a “specific configuration vulnerability” to steal the data. But according to analysis by the Wall Street Journal, the weakness found in the misconfigured network can also be found in numerous other networks and systems and that security professionals have been issuing warnings for years.
Thompson allegedly stated in online messages to have also applied the techniques to access a trove of online data from other organizations, the Journal reported. Thompson allegedly was able to break into a central piece of Amazon’s cloud technology known as its metadata service that holds the credentials and other data needed to manage servers in the cloud.
The First Step
“In the first step of her alleged hack that began in March, according to her online postings, Ms. Thompson ran a scan of the internet to find vulnerable computers that could give her access to a company’s internal networks,” the Journal stated. “Effectively, she knocked on many front doors to hunt for ones that were unlocked. In the case of Capital One, she found that a computer managing communications between the company’s cloud and the public Internet was misconfigured—effectively it had weak security settings—according to people familiar with the investigation. The door was open.”
Thompson then used that vulnerability to request the credentials she needed to access Capital One’s cloud-stored data from the Amazon cloud. “Once she found the Capital One data, she was able to download it, the people familiar with the investigation said. All, apparently, without triggering any alerts,” the Journal reported.