Capital One Breach: When Cloud Misconfiguration Cost $270 Million

What Happened

In **July 2019**, Capital One Financial Corporation disclosed that a hacker had stolen the **personal information of over 100 million customers and credit card applicants** in the United States and **6 million in Canada**. This was one of the **largest banking breaches** in history.

🔓 The breach was caused by a **misconfigured web application firewall** in Capital One's AWS cloud environment.

The Hacker

The attacker was **Paige Thompson**, a former **Amazon Web Services (AWS) employee** and software engineer. Using her cloud infrastructure knowledge, she:

• 🎯 Exploited a **firewall misconfiguration** in Capital One's AWS setup
• ☁️ Used **Server-Side Request Forgery (SSRF)** to access AWS metadata
• 🔑 Stole **temporary security credentials** from the metadata service
• 📂 Accessed over **700 S3 storage buckets** containing customer data
• 💬 **Bragged about the hack** on social media (leading to her arrest)

What Was Stolen

Thompson downloaded **30GB of compressed data** containing:

Personal Information (100 million+ people)

• ✉️ Names and email addresses
• 📞 Phone numbers and addresses
• 📅 Dates of birth
• 💳 Credit scores and limits
• 💰 Income and financial information

Highly Sensitive Data (140,000+ people)

• 🏦 Social Security numbers
• 💳 Linked bank account numbers
• 🔢 Full credit card numbers

How the Attack Worked

The breach exploited **Cloud Security 101 mistakes**:

Step 1: Find the Misconfiguration

Capital One's **web application firewall (WAF)** was misconfigured, allowing:

• ❌ **Unrestricted access** to AWS metadata service
• ❌ **No proper network segmentation**
• ❌ **Overly permissive IAM roles**

Step 2: Exploit SSRF Vulnerability

Thompson used **Server-Side Request Forgery (SSRF)** to make Capital One's server query the AWS metadata service:

This returned **temporary AWS access credentials** that should have been restricted.

Step 3: Access S3 Buckets

Using the stolen credentials, Thompson:

1. Listed all accessible S3 storage buckets
2. Downloaded data from **over 700 folders**
3. Exfiltrated **30GB** of compressed customer data
4. Repeated the process across multiple dates

Step 4: Got Caught Bragging

Thompson's downfall came when she **posted about the breach** on:

• 💬 GitHub (sharing tools and methods)
• 💬 Slack channels (bragging to other hackers)
• 💬 Twitter (discussing the stolen data)

A **security researcher** noticed the posts and reported them to Capital One, leading to Thompson's arrest by the FBI.

The Aftermath

Capital One faced severe consequences:

• 💰 **$270 million** total cost (breach response, legal fees, fines)
• ⚖️ **$80 million fine** from banking regulators (OCC)
• 👥 **$190 million class-action settlement**
• 📉 Stock price dropped significantly
• 😠 Massive reputational damage

Paige Thompson was:

• 🚔 Arrested by the FBI
• ⚖️ Convicted on wire fraud and computer intrusion charges
• ⏱️ Sentenced to time served and supervised release (2022)

Critical Cloud Security Lessons

1. Cloud Misconfigurations Are Deadly

**95% of cloud breaches** are due to **customer misconfiguration**, not cloud provider flaws. Capital One's firewall rules were too permissive, allowing access to sensitive AWS metadata.

2. IAM Roles Must Follow Least Privilege

The AWS IAM role had **excessive permissions**, allowing access to hundreds of S3 buckets. **Grant only minimum necessary permissions**.

3. Protect AWS Metadata Service

The AWS metadata service (169.254.169.254) provides **temporary credentials** and should be:

• ✅ **Blocked from external access**
• ✅ **Protected using IMDSv2** (requires token authentication)
• ✅ **Monitored for unusual access patterns**

4. Network Segmentation in the Cloud

Proper **network segmentation** could have limited the blast radius. Use:

• ✅ VPC security groups
• ✅ Network ACLs
• ✅ Private subnets for sensitive resources
• ✅ VPC endpoints to avoid public internet exposure

5. Monitor and Audit Cloud Activity

Capital One didn't detect the breach for **months**. They should have:

• ✅ Enabled **AWS CloudTrail** logging
• ✅ Set up **alerts for unusual S3 access**
• ✅ Monitored **credential usage patterns**
• ✅ Used **AWS GuardDuty** for threat detection

Cloud Security Best Practices

Protect your business from cloud breaches:

☁️ Secure Your Cloud Configuration

• ✅ **Use configuration management tools** (AWS Config, Azure Policy)
• ✅ **Run regular security audits** of cloud resources
• ✅ **Enable all available security features** (IMDSv2, GuardDuty, etc.)
• ✅ **Use Cloud Security Posture Management (CSPM) tools**

🔐 Implement Least Privilege Access

• ✅ **Review IAM permissions quarterly**
• ✅ **Remove unused roles and permissions**
• ✅ **Use temporary credentials** instead of long-term access keys
• ✅ **Separate dev/staging/production environments**

🛡️ Protect Sensitive Data

• ✅ **Encrypt all data** at rest and in transit
• ✅ **Use separate encryption keys** per environment
• ✅ **Enable S3 bucket versioning and object lock**
• ✅ **Set up bucket policies and ACLs correctly**

👀 Monitor Everything

• ✅ **Enable logging for all cloud services**
• ✅ **Set up alerts for suspicious activity**
• ✅ **Review access logs regularly**
• ✅ **Use automated threat detection tools**

The Bottom Line

The Capital One breach proves that **cloud security is your responsibility**, not just the cloud provider's. A simple firewall misconfiguration combined with overly permissive IAM roles led to one of the largest banking breaches ever.

For businesses moving to the cloud: **hire cloud security expertise**, use security tools, and regularly audit your configurations. The cloud is powerful, but **security is not automatic**.