On Monday evening, federal prosecutors said that tech worker Paige A. Thompson has been charged with computer fraud and abuse for stealing data from millions of Capital One customers.
In the criminal complaint against Thompson, we get some technical detail into how it allegedly went down. A “firewall misconfiguration” left one of Capital One’s cloud servers vulnerable to Thompson, prosecutors said in the complaint, allowing her to send commands that allowed her to access the sensitive data in question.
The complaint doesn’t name the cloud provider used by Capital One in this instance, referring to it only as “Cloud Computing Company.” However, a screenshot of a Slack conversation included in the complaint appears to show Thompson referring to “s3,” which is the name of Amazon Web Services’ cloud storage product for developers.
A spokesperson for Amazon Web Services confirmed to Bloomberg that AWS had stored the data, but according to The New York Times, “Amazon said it had found no evidence that its underlying cloud services were compromised.”
The complaint alleges Thompson was able to use that “misconfiguration” referred to above to send a command that somehow allowed her to obtain security credentials to a specific account — which she was able to use to access “certain of Capital One’s folders at the Cloud Computing Company,” prosecutors allege.
Also of note is that Thompson herself was a former Amazon Web Services employee, an Amazon spokesperson confirmed to Bloomberg. According to a resume viewed by Business Insider posted on what appears to be Thompson’s personal account at GitLab, a popular online code-sharing service, Thompson appears to have worked on the S3 service itself between 2015 and 2016.
This checks out with the complaint, which states that Thompson is a former employee of the same “Cloud Computing Company” at issue in the Capital One breach and worked there during the same time span.
However, the complaint doesn’t seem to fault Amazon Web Services for Thompson’s alleged intrusion, and neither, it appears, does Capital One.
“This type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data center environments,” Capital One said in a press release on the data breach. “The speed with which we were able to diagnose and fix this vulnerability, and determine its impact, was enabled by our cloud operating model.”
In other words, Capital One appears to be saying, this didn’t stem from any inherent flaw or vulnerability in the cloud. Furthermore, it’s only been 10 days since Capital One said the hack was first discovered; in this statement, Capital One crediting its use of the cloud with the ability to find and fix the problem.
There is plenty of precedent here, though rarely so dramatic: In 2018, Tesla acknowledged that hackers had broken into its Amazon Web Services account and used it to mine cryptocurrency. The hack was discovered when security firm RedLock found a Tesla IT administrative console that didn’t have a password.
“Given the immaturity of cloud security programs today, we anticipate this type of cybercrime to increase in scale and velocity,” RedLock CTO Gaura Kumar told Business Insider at the time.
Amazon did not respond to a request for comment at the time of publication.