Capital One Financial said data from about 100 million people in the U.S. was illegally accessed after prosecutors accused a Seattle woman identified by Amazon as one of its former cloud service employees of breaking into the bank’s server.
While the complaint doesn’t identify the cloud provider that stored the allegedly stolen data, the charging papers mention information stored in S3, a reference to Simple Storage Service, Amazon Web Services’ popular data storage software.
An AWS spokesman confirmed that the company’s cloud had stored the Capitol One data that was stolen, and said it wasn’t accessed through a breach or vulnerability in AWS systems. Prosecutors alleged that the access to the bank data came through a misconfigured firewall protecting one of its applications.
Paige A. Thompson was arrested Monday and appeared in federal court in Seattle. The data theft occurred sometime between March 12 and July 17, U.S. prosecutors in Seattle said.
Thompson was previously an Amazon Web Services employee. She last worked at Amazon in 2016, spokesman Grant Milne said. The breach described by Capitol One didn’t require insider knowledge, he said.
“I am deeply sorry for what has happened,” Richard D. Fairbank, Capital One’s chief executive officer, said in a statement. “I sincerely apologize for the understandable worry this incident must be causing those affected.”
About 6 million individuals in Canada were also impacted by the breach, Capital One said.
The largest category of data stolen was supplied by consumers and small businesses when they applied for credit cards from 2005 through early 2019, the bank said. It included a wide array of personal data, such as names, addresses, phone numbers, dates of birth, self-reported income, credit scores and fragments of transaction history.
About 140,000 Social Security numbers were accessed, as well as 80,000 bank account numbers from credit-card customers, the bank said.
Capital One shares fell as much as 6.5% Tuesday morning, their biggest decline in six months.
In court on Monday, Thompson broke down and laid her head down on the defense table during the hearing. She is charged with a single count of computer fraud and faces a maximum penalty of five years in prison and a $250,000 fine. Her lawyer declined to comment.
U.S. Magistrate Judge Mary Alice Theiler ordered Thompson to be held. A bail hearing is set for Aug 1.
Capital One, which is based in McLean, Virginia, has been one of the most vocal advocates for using cloud services among banks. The lender has said it is migrating an increasing percentage of its applications and data to the cloud and plans to completely exit its data centers by the end of 2020 — a move the company says will help lower costs.
The case is U.S. v. Thompson, 19-mj-344, U.S. District Court, Western District of Washington (Seattle).
Published Jul 30, 2019, 9:50 AM, by Christian Berthelsen, Matt Day and William Turton (Bloomberg).