Capital One Financial (NYSE:COF)
Historical Stock Chart

From Aug 2019 to Aug 2024

By James Rundle and Catherine Stupp 

The breach disclosed by Capital One Financial Corp. this week highlights an uncomfortable truth: It's almost impossible to stop a determined hacker with inside knowledge of a firm's systems.

Experts say the incident shows how, as more information is stored in the cloud, staff trained in how to use these systems could become a threat to other companies.

The data exposed in the Capital One hack was stored on Amazon.com Inc.'s cloud, according to a federal criminal complaint and people familiar with the matter.

"More and more individuals outside of an organization have knowledge of how enterprise systems work and how organizations maintain and access their data in the cloud, giving them insider views that could be used for nefarious purposes," said Homayun Yaqub, senior director of strategy at security firm Forcepoint LLC.

Capital One said that the personal data of more than 100 million U.S. and Canadian residents had been exposed, including dates of birth, addresses and names. The bank estimates the breach will cost between $100 million and $150 million to fix.

A suspect in the breach, Paige A. Thompson, was arrested in Seattle. She is a former employee of Amazon Web Services, according to a résumé posted to an account on the website GitHub that is associated with her. She worked on the company's S3 cloud storage technology, the résumé said. An attorney representing Ms. Thompson didn't immediately respond to a request for comment.

The Federal Bureau of Investigation, in a complaint filed with the U.S. District Court for the Western District of Washington in Seattle, alleges that Ms. Thompson broke into Capital One's systems through a misconfigured firewall and located an account with permission to access sensitive information, which she then copied and published to GitHub. She faces up to five years in prison and a $250,000 fine.

Capital One didn't respond to a request for comment.

The company said personal information from credit-card applications from 2005 through 2019 was accessed, including credit scores, payment history and contact information. About 140,000 Social Security numbers and 80,000 account numbers from credit-card customers were also compromised.

An Amazon spokesman attributed the hack to a firewall issue, not a cloud-computing problem.

CJ Moses, AWS's deputy chief information security officer, said at a conference in September that the Amazon unit restricts most staff members from accessing its broader internal infrastructure, WSJ Pro Cybersecurity reported at the time. Mr. Moses said the strategy aims to reduce "witting or unwitting" data breaches.

Financial firms have attributed a number of incidents in recent years to employees, including identity theft and the sale of personal information to criminals.

A former banker at JPMorgan Chase & Co., Peter Persaud, was sentenced in 2018 to four years in prison for selling clients' personal information to criminals. Morgan Stanley was fined $1 million in 2016 after one of its employees stole 730,000 client records and later offered them for sale.

In April, the FBI warned that typical insider attackers might have IT experience and might be motivated by factors including revenge on former employers and financial gain. The motivations of the Capital One attacker are unknown. Ms. Thompson "intended to disseminate data stolen from victim entities," according to the complaint.

New York Attorney General Letitia James said Tuesday her office would immediately open an investigation into the incident and provide relief to victims. "Safeguards were missing that allowed for the illegal access of consumers' names, Social Security numbers, dates of birth, addresses, and other highly sensitive, personal information," Ms. James said in a statement.

Ms. James and 49 other attorneys general settled a lawsuit last week over Equifax Inc.'s 2017 data breach, requiring the firm to pay as much as $700 million and change its cybersecurity practices.

Many breaches at large institutions are blamed on organized crime or nation-state activities, experts said, but the Capital One case demonstrates that certain threats are difficult to detect.

"Insider threats are big concerns for companies and when you combine them with the talent of an engineer like this, it's really concerning," said Mark Testoni, CEO of SAP SE's National Security Services business. "That is tough to prepare for because they're more sophisticated than other insiders may be."

The pool of talent capable of launching such attacks is expanding. The nature of cloud services also means that any user who has spent time developing technology on AWS can become familiar with how these systems work in practice, said Sameer Malhotra, CEO of security firm TrueFort Inc.

While AWS itself wasn't breached, cloud providers should do more to assist their users, suggested Mr. Malhotra, a former technology executive at JPMorgan Chase & Co., Goldman Sachs Group Inc. and Bank of America Corp.

"They see everything [in terms of activity], and they can be much faster to respond, or at least alert the customer, that they're seeing something they haven't before," he said.

The increasing number of breaches involving cloud providers has highlighted the importance of who becomes liable in the event a server is breached, Lee Rubin, counsel at law firm Pillsbury Winthrop Shaw Pittman LLP, said at a WSJ Pro Cybersecurity conference in June.

Accountability by cloud providers and customers in the event of a cyber incident should be nailed down during contract negotiations, he said: "From a contracting perspective, be very clear on the designated lines who's responsible and who's doing what."

Write to James Rundle at james.rundle@wsj.com and Catherine Stupp at Catherine.Stupp@wsj.com

(END) Dow Jones Newswires

July 31, 2019 05:44 ET (09:44 GMT)