Capital One detected a data breach in July 2019 that exposed hundreds of thousands of account details of the bank's customers and credit card applicants. The personal information that was compromised in the hack included Social Security numbers, names, addresses, credit scores and more.
While not all information about the incident is confirmed -- and some of it may never be -- there is enough publicly available to get a basic understanding of the hack so an enterprise can learn how to prevent a similar cloud data breach of its own environment.
The alleged hacker, Paige Thompson, found an Amazon EC2 instance that lacked proper security. She gained unauthorized access via a misconfigured web application firewall (WAF). Thompson collected AWS credentials from the Identity and Access Management (IAM) role that was attached to the instance by pulling the ephemeral keys. She used these credentials to gain access to the S3 bucket, an action allowed by the permissions attached to the IAM role. Thompson then proceeded to sync the data from the bucket, essentially extracting it from AWS.
After Thompson gained access to the compromised instance, the steps she performed to carry out the data breach only required basic familiarity with AWS. Capital One's fundamental security misstep was to allow access to the instance at all. Firewalls -- on AWS or anywhere else -- are your primary, and in some cases only, defense against these types of attacks.
Appropriate security is a must to prevent cloud data breaches like the one experienced by Capital One. Whether you are using AWS security groups, network access control lists, a WAF or anything else, your security tools must be configured correctly. If not, your business is more vulnerable to experiencing a breach.
With proper security practices in place, you should only open access to the users and services that are necessary and close it off completely to everything else. Avoid public access unless your service specifically needs it to serve traffic. AWS users can also enable VPC Flow Logs to capture traffic and analyze for potential attack patterns, which enable you to continuously improve your firewall.