Security News > 2022 > June > Capital One: Convicted techie got in via 'misconfigured' AWS buckets

Capital One: Convicted techie got in via 'misconfigured' AWS buckets
2022-06-20 13:32

The conviction follows the infamous 2019 hack of Capital One in which personal information of more than 100 million US and Canadian credit card applicants were swiped from the financial giant's misconfigured cloud-based storage.

The data was submitted by credit card hopefuls between 2005 and early 2019, and Thompson was able to get into Capital One's AWS storage thanks to a "Misconfigured web application firewall."

According to the original July 2019 complaint [PDF], Capital One received an email to its responsible disclosure address stating: "There appears to be some leaked s3 data of yours in someone's github /gist."

Capital One then confirmed that they "Matched the actual names of folders or buckets of data used by Capital One for data stored at the cloud company."

As for Capital One, it was memorably slapped with a $80 million fine and settled customer lawsuits for $190 million following the leak.

The Register contacted Capital One and Thompson's lawyers for comment and will update should either respond.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/06/20/captial_one_wire_fraud/