Capital One Data Breach: What Went Wrong for the Financial Giant

Skybox Security
5 min readAug 6, 2019
Our Research Lab analyzes the techniques that could have led to Capital One’s breach, leaking more than 100 million records—by Marina Kidron

News of the Capital One data breach was made public on July 19. According to their website, the leaked data of approximately 100 million Americans and 6 million Canadians included information from credit card applications dating back to 2005. This would include names, addresses, phone numbers, self-reported income, credit scores, payment history and other personal information. Some unlucky victims also had their social security and bank account numbers leaked.

Who’s Responsible for the Capital One Data Breach?

In its press release, Capitol One described the attacker, 33-year old Paige Thompson (aka Erratic), as a “sophisticated individual [who] was able to exploit a specific configuration vulnerability within our infrastructure.” Claims of sophistication are somewhat undercut by the fact that Thompson posted some of the data under her own name on GitHub. Also, a the court complaint filed against Thompson shows she wasn’t arrested for hacking, but for intentionally accessing a computer without authorization.

But in terms of responsibility, it seems that falls at Capital One’s feet. An incorrectly configured firewall protecting its AWS S3 cloud storage is at the crux of this breach. Additionally, though the data accessed was encrypted, Thompson’s access allowed her to decrypt the data.

Why Firewall Configuration Matters

Hindsight is 20/20. It may be easy to wag the finger of shame at Capital One for missing the firewall configuration issue, but the truth is, these things slip through the cracks frequently — especially in enterprise-scale environments. Whether it was negligence or ignorance, we can’t be sure, and the distinction matters little to the 100 million individuals whose data leaked.

Because of the scale of enterprise network, the complexity and constant state of change, automated oversight has become increasingly important. The ability to spot and address configuration issues quickly can mean the different between a fire drill and a five-alarm blaze.

To be confident that your firewalls are configured correctly, you first need to:

  • Know all of the firewalls within your organization and continually maintain this record
  • Have policies in place to ensure devices are configured according to vendor recommendations, best practices, regulatory requirements, etc.
  • Compare the platform security of devices against those policies to identify configuration weaknesses
  • Assess whether the device can be accessed using the default password, if logging is enabled and if the management protocol is encrypted

Remember, when a security device itself is comprised, it compromises an entire layer of security and acts as an attack enabler rather than a safeguard. Don’t let the management of firewalls be their undoing.

See why eight of the largest retail banks in the world rely on Skybox for cybersecurity management >

MITRE ATT&CK Techniques of the Capital One Data Breach

A recent publication by Digital Shadows gives a great description of the Capital One Data Breach, mapping the attack steps to the MITRE ATT&CK matrix, a public knowledge base of TTPs and observations.

The Exploit Public-Facing Application (T1190), External Remote Service (T1133) or Valid Accounts (T1078) techniques could be used for initial access:

  • Exploit Public-Facing Application: can be initiated by exploiting a vulnerability in a directly exposed asset that does not require user interaction

Skybox’s attack simulations use a model of the hybrid network topology, security controls, assets and vulnerabilities to identify attack paths from a threat origin to a vulnerable asset. Direct exposures are considered a critical risk and are prioritized for immediate remediation.

  • External Remote Service: can be initiated due to improper network segmentation or direct remote access to the internal organizational system (which should be restricted and properly managed via proxies, gateways or firewalls)

Skybox continually assesses the rule, access and configuration compliance of your network, ensuring that strictures designed in policy are being enforced in reality and controls are following the principal of least privilege. Skybox leverages a model of the hybrid network topology and security controls to analyze access end to end — between and within networks and network zones — to confirm proper segmentation is in place.

  • Valid Account: when the network device uses default credentials, an attacker can use the default settings to access the device

Skybox provides numerous platform-specific configuration policies which can be adopted as–is or customized to suit your business needs. Policies contain a set of configuration checks, each of which is represented by regular expression. When a device’s configuration data is analyzed, it passes only if the regular expression is matched in the configuration file.

Fallout of the Capital One Data Breach

The ramifications of the Capital One data breach are huge. Capital One’s reputation has been dealt a massive blow; its stock dropped 4 percent in after-hours trading following the announcement; and it will be bracing itself for some regulatory fines and potentially lawsuits.

This pain isn’t just being felt by Capital One. Even though the financial services firm is ultimately responsible for the breach, its cloud provider Amazon has also been impacted — according to news outlets, the association of AWS with the attack could be enough to take Amazon out of the running for a 10-year, $10bn contract with the US Defense Department.

On the heels of the $700 million-dollar payout for the Equifax breach, the Capital One data breach If should serve as a stark wake-up call to a lot of organizations, not just in financial services. Innovation is attractive, but it should be approached with caution: security needs to be baked in. For organizations undergoing cloud transformation, they need to ensure proper oversight of accessibility into and inside their cloud networks.

If the speed with which Capital One responded to the breach notification is any indication of the issue which allowed it, it was probably an easy fix — one they wish they would’ve made months ago.

Related Posts

Critical Palo Alto Networks Vulnerability Discovered: A critical Palo Alto Networks RCE vulnerability has been discovered and patched. If exploited, attackers could gain control of your internet gateway and firewall rules

Docker Vulnerability Made Public a Year After First Discovery: A Docker vulnerability has been made public that, if exploited, could give attackers full read and write access to an organization’s filesystem

Life After Breach — 5 Steps To Recover From a Cyber Attack: Christina Kubecka’s Black Hat briefing on recovering from the Aramco cyberattack lays out a playbook for post-attack recovery and adaptive security teams

Originally published at on August 6, 2019.



Skybox Security

Cybersecurity from The Skybox View. Words of wisdom on how total network visibility & analytic-driven intelligence conquer all.