Jump to content
OpenSecurity.global
  • Recently Browsing   0 members

    No registered users viewing this page.

Sign in to follow this  
Kevin Beaumont

Capital One US and Canada breach

Recommended Posts

Indictment PDF: https://www.dropbox.com/s/z7u5rxcdajuvw6t/19718675504.pdf?dl=0

A bunch of things stand out:

  • Why did the WAF account apparently have access to the S3 storage buckets?
  • Why wasn't the data of hundreds of millions of people's credit checks encrypted?  Should that kind of data have been left for so long in cloud buckets?
  • Why didn't they notice all these S3 buckets being sync'd to a random VPN IP address?  It happened 4 months ago.
  • Why didn't they notice the Gitlab pages listing their config?
  • Why didn't they notice until somebody random emailed them to tell them?

I don't know if more details will go public (they probably don't want it to get to trial for obvious reasons).

I guess lessons learned from outside looking in is:

- Monitoring.  Ingest your cloud logs.  Alert against them.  Monitor sites like Github and Gitlab for obviously sensitive information, e.g. usernames, bucket names etc.

And yes, this is the kind of incident that would (and still will) catch many orgs with their pants down, Capital One aren't alone.  It looks like the same person behind this one hit other fintech orgs too, looking at their online files - I'm going to guess they haven't noticed yet either.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Members online now

    No members to show

  • Similar Content

×
×
  • Create New...

Important Information

We use cookies as we're cookie monsters. Privacy Policy