Capital One Hack: How It Happened

Security experts have weighed in on the vulnerabilities that caused the recent Capital One hack, in which 100 million private records were compromised.

At first, there had been speculation that it was an “inside job” or a security flaw that may have been known to the software vendor but for which no patch had yet been developed (also known as a “zero day” flaw.) But the most recent investigation suggests that the hacker’s methods have long been understood by security experts.

The Capital One Hack

Authorities arrested a 33-year-old Seattle software engineer, who had previously worked for Amazon, for hacking into an Amazon cloud server where Capital One Bank, a major credit card issuer, stored sensitive financial records of more than 100 million customers.

According to federal prosecutors, the incident was one of the largest data thefts in recent history. The hack snared 140,000 Social Security numbers, 80,000 bank account numbers, 1 million Canadian Social Insurance numbers, and countless credit applications.

Capital One officials have said they do not believe the data was stolen for purposes of fraud. From what is known of the hacker, it appears to have been an attempt to show off and prove it could be done. The woman accused of perpetratrating the Capital One hack did not cover her digital tracks, had mental health issues and bragged on Twitter that she had strapped herself with a virtual “bomb vest.” She threatened to distribute the stolen data even though she knew what would happen to her as a result.

This is small comfort to those whose data was compromised and must now pay for credit monitoring and deal with the possibility of identity theft.

The Role of “Modsec”

“ModSecurity,” or Modsec, is what is known as an open-source Web Application Firewall (WAF). In simple terms, this security module defends servers against the most common vulnerabilities that hackers use to break into a database.

In the case of the Capital One hack, the module was not configured properly. This allowed the hacker to essentially trick the firewall, using a well-known method referred to as a “Server Side Request Forgery” (SSRF). Because the WAF had been misconfigured to list all the files contained in a block of data, the hacker was able to “dupe” the software into revealing everything, according to cybersecurity blog KrebsOnSecurity.com.

Unfortunately, public cloud storage is particularly vulnerable to SSRF attacks.

Is Capital One Responsible?

Regardless of whether or not Capital One actually owned or controlled the compromised server, the company may ultimately bear liability, even if the company that houses the data is actually at fault. However, the extent of liability can vary, depending on the specifics of the case and the economic and psychological impacts of those who were affected.

Join a Free Capital One Data Breach Lawsuit Investigation

If you applied for a Capital One credit card between 2005 and 2019 in the United States or Canada, you may may qualify to join this Capital One data breach class action lawsuit investigation.

Learn More

This article is not legal advice. It is presented
for informational purposes only.