A6| Wednesday, July 31, 2019 ** THE WALL STREET JOURNAL.**
ered a junior employee accord-
ing to Amazon’s internal
ranking system. AWS is the last
job listed on Ms. Thompson’s
résumé. Amazon declined to
comment on the circumstances
of her departure.
Prosecutors said Ms. Thomp-
son’s efforts to breach Capital
One’s systems began as early as
March 12. She allegedly used a
virtual private network and an
anonymous web browser called
Tor to shield her identity while
attempting to access the bank’s
data on Amazon’s servers. Pros-
ecutors said Capital One failed
to fully secure its firewall—the
mechanism designed to wall off
data inside Amazon Web Ser-
vices—from outside incursion.
Observers are trying to as-
certain the degree to which Ms.
Thompson leveraged knowl-
edge gleaned inside Amazon toallegedly launch the attack. A
person familiar with the inves-
tigation said that on March 22,
Ms. Thompson used a unique
series of commands to first
gain access to Capital One’s
firewall and then obtain the
credentials needed to extract
millions of records stored at
Amazon. It is possible that her
Amazon experience helped her
to develop this technique more
quickly, the person said. Ama-
zon declined to comment.
Between her first alleged in-
trusion and April 21, Ms.
Thompson downloaded 106 mil-
lion applications, prosecutors
said. Although much of the
data was protected by encryp-
tion, it was a treasure trove of
personal information including
120,000 Social Security and
77,000 bank-account numbers.
The data breach was com-tle appreciated—of an insider
threat.
Cloud computing has
boomed as companies turn to
providers such as Amazon and
Microsoft Corp. to do the work
of configuring computers in-
side their own data centers.
The processing power of those
servers and storage devices is
then rented out to customers,
who pay depending on how
much work the computers do.
Capital One was an early
adopter of cloud-computing
among financial institutions as
many other banks hesitated to
move customer data out of
their data centers. But the
global cloud business has ex-
panded—including among
banks—as companies such asJPMorgan Chase & Co. and
Bank of America Corp. became
converts. That has heightened
the stakes from the Capital
One breach for the broader fi-
nancial-services and cloud-
computing industries.
By 2023, banks globally are
forecast to spend more than
$53 billion on public cloud in-
frastructure and data services,
up from $24.3 billion this year,
according to market research
firm International Data Corp.
The disclosure of the
breach has caused a behind-
the-scenes scramble at several
financial institutions to under-
stand what happened at Capi-
tal One, according to a person
familiar with the discussions.
“Everyone who is migratingto the cloud is really going to
look at their controls,” said
Sameer Malhotra, the chief ex-
ecutive of TrueFort Inc., a
company that provides cloud
security services.
Although court documents
indicate a Capital One error
led to the breach, the alleged
hacker, Paige A. Thompson, is
a former employee at Ama-
zon’s web services unit, the
world’s biggest cloud-comput-
ing business. That raises
questions about whether she
used knowledge acquired
while working at the cloud-
computing giant to commit
her alleged crime, said Chris
Vickery director of cyber-risk
research at the security firm
UpGuard Inc. A lawyer repre-One of the highest-profile
hacks of consumer-banking
data has sent financial institu-
tions scrambling to figure out
how millions of records at one
of the biggest proponents of
cloud-computing were ex-
posed.
Capital One Financial
Corp., the fifth-largest U.S.
credit-card issuer, said Mon-
day that information of
roughly 106 million card cus-
tomers and applicants was ex-
posed in one of the largest
data breaches of a big bank.
The data was stored on Am-
azon.com Inc.’s cloud, accord-
ing to a federal criminal com-
plaint and people familiar with
the matter. The avenue of en-
try, the companies and investi-
gators said, was a poorly con-
figured firewall—a mechanism
designed to wall off privately
operated digital systems—that
a hacker breached.
Both companies say con-
trols around the data, rather
than use of the cloud, were
the problem. Still, the data
was stored in the cloud, rais-
ing questions about whether
Capital One put insufficient
safeguards in place to lock
down customer records when
it adopted cloud technology.
And the accused hacker’s ten-
ure as a former employee of
Amazon’s cloud business high-
lights the risk—previously lit-
BYROBERTMCMILLAN
U.S. NEWS
senting Ms. Thompson didn’t
return messages seeking com-
ment.
An Amazon spokesman at-
tributed the hack to a firewall
issue, not a cloud-computing
problem.
Cloud computing caught on
in part because it allowed
software engineers to sidestep
cumbersome security restric-
tions and sluggish develop-
ment processes that made
companies’ in-house technolo-
gies clunky. But the ease and
speed of opting instead to fire
up a server through Amazon
Web Services has led to
many cloud misconfiguration
problems that can leave sensi-
tive data exposed to unauthor-
ized access.
“It’s easy to misconfigure
things and it’s easy to have
catastrophic results from
those misconfigurations,” Mr.
Vickery said.
As the list of companies
that have inadvertently ex-
posed data on the cloud has
grown, Amazon has taken
steps to minimize that risk. In
2017, the company introduced
technologies to detect such
configuration problems and
make them easier to fix.
Capital One started work-
ing with AWS in 2014 and
has since become a marquee
customer. In 2015, Capital
One Chief Information Officer
Rob Alexander said “the fi-
nancial services industry at-
tracts some of the worst cy-
bercriminals. So we worked
closely with the Amazon
team to develop a security
model, which we believe en-
ables us to operate more se-
curely in the public cloudthan we can even in our own
data centers.”
“This type of vulnerability
is not specific to the cloud,”
Capital One said of the hack.
“The elements of infrastruc-
ture involved are common to
both cloud and on-premises
data center environments.”
The bank added that its use of
the cloud helped it respond to
the breach faster. The com-
pany learned of the incident
on July 19 and notified af-
fected customers 10 days later.
Over the years, Capital One
has developed systems to pre-
vent data from being inadver-
tently released to the wider
internet, according to a person
familiar with the company’s
operations.
“Any company that has or
is looking to move into the
cloud must ensure that their
security strategy is developed
alongside of that transforma-
tion,” said Vincent Liu, a part-
ner with the security-consult-
ing firm Bishop Fox.
Mr. Liu, whose company
assesses security vulnerabili-
ties on corporate networks,
says that while configuration
problems happen in corporate
data centers as well, he often
finds that “basic cyber hy-
giene gets thrown out the
window” as companies move
to new technologies such as
the cloud.
The stakes for companies to
safeguard information are ris-
ing. Credit-reporting company
Equifax Inc. struck a $700 mil-
lion settlement this month
with state and federal authori-
ties concerning its 2017 breach
that exposed information on
150 million Americans.Hack Casts a Shadow on Cloud Security
After over 100 million
records were exposed,
industry races to find
out how it happened
106 million
credit-card customers
and applicants
2019Capital One
148 million
credit accounts
2017Equifax130 million
customers
2009Heartland
Payment Systems90 million
individuals
1984TRW Information
Systems and Sears76 million
households
2014JPMorgan
Chase40 million
credit-card
accounts2005CardSystems
SolutionsCredit Breach
A hacker accessed the personal information of 100 million
Capital One credit-card customers and applicants in the
U.S. and six million in Canada.Major breaches
of global financial-
services firmsSource: staff reports104 million
credit-card accounts
2014Korea Credit
Bureau
12 million
credit-card
numbers2003Data
Processors
IntlSocial media posts, including
from a Twitter account Ms.
Thompson launched last month
under the handle “erratic,” var-
ied between mourning the loss
of her cat to discussing the dif-
ficulties of being transgender
and of experiencing homeless-
ness. In one tweet from early
July, weeks before her arrest,
she tweeted that she was
checking herself into a mental-
health facility.
Ms. Thompson changed her
name in 2009 from Trevor Al-
len Thompson, according to a
legal document.
Cybersecurity professional
Jackie Singh said she has
known Ms. Thompson through
online forums including Twitter
for several weeks. Ms. Singh
said Ms. Thompson told her she
had been supporting herself by
hacking Amazon cloud custom-
ers and using the services they
had purchased to mine crypto-
currencies such as Ethereum
and Monero.
Aife Dunne, a software de-
veloper in Colorado Springs,
Colo., said she met Ms. Thomp-
son in December through an in-
ternet chat service where the
two kept in touch regularly un-
til about a month ago. Ms.
Dunne said that Ms. Thompson
often chatted in messages
about her struggles as a trans-
gender woman and about being
unemployed. Ms. Dunne said
Ms. Thompson never discussed
Capital One.
Ms. Thompson worked at
Amazon Web Services from
2015 to 2016, spending time
working on one of AWS’s flag-
ship products, Simple Storage
Service, or S3. A résumé Ms.
Thompson posted on the digital
documents service Scribd says
that she was a Level 4 em-
ployee, which would be consid-plete as unsuspecting Capital
One executives prepared for the
company’s first-quarter earn-
ings released days later. On the
analyst call, Capital One’s
founder and CEO, Richard Fair-
bank, answered a series of ques-
tions about the company’s move
into the cloud, which he called
“big news” as it expected to fin-
ish the move from its own data
centers by the end of next year.
In early June, Ms. Thompson
tweeted that she expected to
soon be in the public spotlight:
“I’d give it at least two [weeks]
before they find out who I am
and the whole internet de-
mands that I be banned.”
Ms. Thompson participated
in an online discussion group
hosted by the collaboration
company Slack Inc. where, on
June 26, she posted a descrip-
tion of the steps she said she
was taking to obscure her iden-
tity while hacking, prosecutors
said. The next day she “posted
about several companies, gov-
ernment entities and educa-
tional institutions,” according
to the criminal complaint.
One of the group’s partici-
pants responded: “don’t go to
jail plz.”
On July 17, Capital One re-
ceived an email with the subject
line “Leaked s3 data” to an ac-
count it set up for people to re-
port possible vulnerabilities
with its site or products, accord-
ing to the complaint. The
sender, with which the bank
said it had no prior contact, di-
rected Capital One to an account
on coding platform GitHub that
was linked to Ms. Thompson.
The email ended with an offer
to help track the hacker down.
Capital One investigated the
GitHub file, which had an April
timestamp, and found more
than 700 folders or buckets ofdata, the complaint said. On
July 19, Capital One confirmed
that the breach had taken place
and contacted the FBI, accord-
ing to a person familiar with
the matter. The bank also
handed over its dossier on Ms.
Thompson that it had compiled
during its investigation to au-
thorities, the person said.
Ms. Thompson’s behavior
might seem strange to outsid-
ers—allegedly taking steps to
conceal her identity while hack-
ing Capital One, and then talk-
ing about her exploits publicly.
But it is “not that uncommon in
the hacker community that in-
dividuals brag about their ac-
complishments to seek recogni-
tion from their peers,” said
Steven Masada, assistant U.S.
attorney for the Western Dis-
trict of Washington.
Ms. Thompson’s résumé
shows that she jumped from
job to job in recent years. The
résumé lists three-month to
two-year stints in engineering
at Onvia Inc., the now-closed
Zion Preparatory Academy in
Seattle and Acronym Media
Inc., among other employers.
“I sensed that she was just
angry,” said Alex Branning, CEO
of The Branning Group, a digi-
tal marketing agency. Mr. Bran-
ning’s firm employed Ms.
Thompson as a contractor in
early 2011 before terminating
the relationship, and she re-
cently reached him through
LinkedIn to ask if he had proj-
ects for her to work on, he said.
Onvia has since been sold.
Acronym confirmed that Ms.
Thompson worked remotely for
the digital marketing agency
for a 2½ months in 2011 but
was terminated for poor work
quality.
—Nicole Hong
contributed to this article.ties to national governments.
Prosecutors and people familiar
with Ms. Thompson describe
her as a lone wolf who ap-
peared to be self-destructing
while acknowledging online she
had acted illegally.
“I’ve basically strapped my-
self with a bomb vest, f*cking
dropping capitol [sic] ones dox
and admitting it,” she wrote
last month in direct messages
on Twitter, according to prose-
cutors. She also said in the
Twitter messages that the doc-
uments she obtained contained
Social Security numbers, full
names and dates of birth.
The Federal Bureau of Inves-
tigation said it seized digital
devices from Ms. Thompson’s
home that not only referenced
Capital One but other compa-
nies that may have been tar-
geted. She has been charged
with computer fraud and abuse
for allegedly accessing Capital
One’s servers without authori-
zation.
A lawyer for Ms. Thompson
couldn’t be reached for com-
ment. A detention hearing is
scheduled Thursday in federal
court in Seattle.
The bulk of the exposed data
involves information submitted
by customers and small busi-
nesses that applied for Capital
One credit cards between 2005
and early 2019, the bank said,
including addresses, dates of
birth and self-reported income.
ContinuedfromPageOne
Suspect’s
Online Posts
Scrutinized
Paige A. Thompson’s profile photo on peegeepee, a public PGP key
server. The 33-year-old was arrested Monday by federal agents.In this latest massive con-
sumer-data breach, a hacker
accessed the personal infor-
mation of 100 million Capital
One credit-card customers and
applicants in the U.S. and six
million in Canada.
The breach stands to be one
of the worst for U.S. consum-
ers because of the type of fi-
nancial information accessed.
This valuable consumer finan-
cial information can be used
to figure out the identities of
the most creditworthy or af-
fluent consumers and open a
card or loans in their names.
Here’s what you need to
know if you have a Capital One
credit card or have applied for
one in the past, and how to
protect your accounts and in-
formation.
I have a Capital One credit
card. What happened?
Sensitive identity informa-
tion about consumers and
small businesses who applied
for Capital One credit cards
between 2005 and 2019 was
exposed. So if you have a Cap-
ital One credit card, or have
applied for one in that time
frame, your information is
part of this data breach.
The information leaked in-
cludes names, addresses, ZIP
Codes, phone numbers, email
addresses, dates of birth and
self-reported income, the bank
said. Consumer data including
credit scores, credit limits,
balances, payment history and
some transaction data are also
part of the breach. Also ex-
posed were about 140,000 So-
cial Security numbers and
80,000 linked bank account
numbers.What can someone do
with this info?
This information can be
used to apply for credit cards.Capital One says it is unlikely
that the stolen information
was sold or disseminated.
From an identity-theft per-
spective, the Capital One
breach is less widespread than
the Equifax hack because more
Social Security numbers werecompromised in the Equifax
breach. Someone having your
Social Security number means
they can more easily spin up
an unauthorized account in
your name, said Credit-
Cards.com industry analyst
Ted Rossman.
Still, the data in the Capital
One hack is some of the mostvaluable information about
consumers and their credit
standing.What should I do now?
There are three things
those who either have a Capi-
tal One credit card or applied
for one should do immediately.
First, freeze your credit.
This is the most important
step to protecting your infor-
mation. You can call Equifax,
Experian or TransUnion or go
to their websites to do this.
Freezing your credit will
prevent new lines of credit
from being opened in your
name, and it doesn’t affect
your credit score. It is free and
guaranteed by federal law.
Credit-reporting firms must
freeze your credit within one
business day if you make the
request by phone. Be sure to
write down the PIN the credit
bureau gives you when you
freeze your credit so you can
lift the freeze. You also canplace a fraud alert when you
are contacting the credit bu-
reaus, which will make it
harder for someone to open an
account or credit card in your
name.
Then, change your pass-
words. Though Capital One
says login information wasn’t
compromised, reusing old
passwords is a security vul-
nerability. More than eight in
10 Americans reuse passwords
online, according to a 2019
poll from CreditCards.com.
After that, set up two-fac-
tor authentication for all of
your financial profiles and on-
line accounts. Having to log in
via a code sent to your cell-
phone is another barrier to
keep your information safe.
Lastly, monitor your credit-
card activity and credit re-
ports. Capital One said it will
notify everyone affected in the
hack “through a variety of
channels,” and for the people
compromised, it also will beoffering free credit monitoring
and identity protection.Will I get called or emailed
about this data breach?
Capital One says it isn’t
calling customers about this
incident. The bank says you
shouldn’t give out personal in-
formation over the phone or
email if you are contacted
about this data breach.What else can I do?
The investigation is ongo-
ing, so the best thing for Capi-
tal One credit-card holders to
do is to keep following the
story. You can also check the
Capital One website for cus-
tomer updates.
Even if you weren’t com-
promised in this hack, Mr.
Rossman said these steps can
help everyone protect their in-
formation against future
breaches.
—AnnaMaria Andriotis
contributed to this article.BYBOURREELAM
ANDJULIACARPENTER
Capital One’s Data Breach: What It Means for You
You are affected if
you held or applied
for a Capital One card
during 2005 to 2019.