Written by Stacy Cowley and Nicole Perlroth
Large financial companies have to thwart hundreds of thousands of cyberattacks every single day. Data thieves have to get lucky only once.
Big banks like Capital One, the victim of a recent attack that captured the personal information of more than 100 million people, are a target for digital troublemakers, like individual hackers trying to impress their peers or intelligence operatives for foreign governments.
A single weak spot is all savvy hackers need. And they often find them. Already this year, there have been 3,494 successful cyberattacks against financial institutions, according to reports filed with the Treasury Department’s Financial Crimes Enforcement Network.
Federal law enforcement officials said Monday that Paige Thompson, a software engineer in Seattle who used to work for Amazon, got into Capital One’s computer network through what the bank described as a “configuration vulnerability” in its security software. It was akin to leaving a window open overnight at the local bank.
Once inside, she was able to download an array of personal material from customers, including credit card applications and Social Security numbers, according to court documents.
Security experts are likely to home in on the apparently simple mistake made by software developers at Capital One, said Jack Jones, the chairman of the FAIR Institute, a cybersecurity trade group. But simple mistakes are common when it comes to online security.
Every big organization faces so many threats from so many sources that it can be hard to decide what is important. Mastercard, for example, combats some 460,000 intrusion attempts in a typical day, up 70% from a year ago.
“They’re lost in noise,” Jones said. “Nobody has this nailed down.”
The Capital One episode is a reminder of the intricacy of the computer networks at large financial institutions, as well as their vulnerability. Over the past several years, companies including Equifax and Morgan Stanley have been attacked with various hacking methods.
In some cases, the hackers have taken advantage of weak passwords or sent fake emails loaded with malicious computer code that helped them get inside the network. In others, they have scanned for software that hasn’t been kept up-to-date with the latest security fixes. Some hacks took hours. Others took months.
“The very best hackers in the world are hacking these banks, and it’s a full-fledged arms race,” said Tom Kellermann, the chief cybersecurity officer at Carbon Black, a security software maker.
It is unclear whether any sort of insider information helped Thompson break into the Capital One network, as prosecutors allege. Though her online résumé indicated that she had a wide range of programming skills, it did not appear that the breach of the bank’s computer systems was particularly sophisticated.
Three years ago, Thompson worked for Amazon Web Services, the cloud computing service that hosted Capital One’s data. But she left the company long before the breach. Amazon manages the guts of Capital One’s network — the servers and networking technology that hold it together. The software Thompson is alleged to have targeted would have been managed by the bank itself.
Thompson used a gap in Capital One’s firewall software — a security system that acts like a digital gate — to gain security credentials, according to court documents. Then she gained access to customer records Capital One had stored on Amazon’s cloud service.
Representatives of Capital One refused to answer questions about whether Thompson had hacked into its systems or simply climbed through a window that had accidentally been left open.
“These things happen because of human nature,” said Chris Vickery, a security researcher who specializes in finding unguarded data caches. “These systems are very complex and very granular. People make mistakes.”
More than 11 billion records are known to have been exposed in data breaches since 2005, according to a tracker maintained by the Privacy Rights Clearinghouse. In recent years, huge caches of sensitive data have been taken from individuals’ Anthem health care files, Equifax credit bureau records, mortgage documents held by the title services company First American, Yahoo email accounts and even federal employment records.
Security was, for decades, treated in most industries as an annoying expense. Banks have always been an exception, with high budgets and fairly sophisticated security operations.
Mastercard, for example, has a windowless bunker at its data center in Missouri, where a group of security experts work. Citigroup runs three cyberattack response centers — in Budapest, Hungary; New York; and Singapore — that give it round-the-clock coverage. JPMorgan Chase spends nearly $600 million a year on security, and Bank of America’s chief executive has said the bank’s security team has a “blank check” for its spending.
But attackers keep slipping through.
Cybersecurity “may very well be the biggest threat to the U.S. financial system,” Jamie Dimon, JPMorgan’s chief executive, said in an April letter to shareholders. His company was the victim of a major data breach in 2014 after hackers exploited an employee password to steal data on 76 million households.
The average cost of a security breach in the United States has escalated in recent years to $8.2 million, according to a study by IBM Security and the Ponemon Institute.
The cost for companies of Capital One’s size can climb much higher, particularly when class-action lawsuits and fines from regulators come into play. The credit bureau Equifax said last week that it would pay about $650 million — perhaps much more — to resolve most claims stemming from a 2017 breach that affected 147 million people.
Capital One said it expected to spend at least $100 million this year responding to its breach. Some of that will be offset by the bank’s cybersecurity insurance, which can cover as much as $400 million in losses. A lawsuit seeking class-action status was filed against Capital One on Tuesday.
The breach is particularly embarrassing for Capital One because it was one of the first big financial institutions to move its systems to cloud computing. The company functioned almost like a “proof of concept” for regulators looking to see if the migration to the cloud could be done securely, Kellermann said.
The bank wore its cutting-edge approach as a badge of honor. “Everything new” built by the company’s developers was on Amazon’s infrastructure, Rob Alexander, Capital One’s chief information officer, told the trade publication Information Week in December.
“We are entirely focused on moving to the public cloud,” he said.
Cybersecurity experts wondered why the company’s security defenses did not pick up Thompson’s intrusion. Most financial institutions use technology that can detect unusual patterns of behavior indicating that a user could be trying to rob the bank.
Capital One learned about the attack from an outsider about three months after it happened. On July 17, the company got an email that tipped it off to leaked data posted on the coding platform GitHub, according to court documents.
“Let me know if you want help tracking them down,” the person who raised the alarm wrote in the email to the bank.
Others may have followed the same path that prosecutors say Thompson did, Kellermann said. “There is no way that same back door wasn’t available to other people during that time.”