Regulatory Implications from 2019 Capital One Hack and Recent Conviction of Former AWS Engineer
Paige Thompson, a former Amazon Web Services employee, was recently convicted of seven counts of fraud in U.S. District Court for stealing personal data from more than 100 million customers from unsecured accounts stored on Amazon’s Web Service in the cloud. The data breach cost US bank Capital One more than $270 million in compensation and regulatory fines for the breach. Thompson orchestrated the theft of personal data deiom an unsecured AWS storage bucket in the cloud.
Thompson was arrested in July 2019 after Capital One learned of the breach. Thompson stole data including social security numbers and bank account data. Thompson used a tool she built to scan AWS accounts to look for misconfigured accounts and then hacked in and downloaded the data. The FBI traced Thompson to a Slack channel in which she claimed to possess the stolen data. She also mentioned that she intended to check herself into a psychiatric institution. Thompson is scheduled to be sentenced in September.
Capital One was fined $80 million by the Office of Comptroller of the Currency and paid $190 million to settle a class action law suit brought by customers who were victims of the data theft.
In the aftermath of the hack, AWS and Capital One pointed fingers at each other.
AWS claimed that Thompson gained access through a “misconfiguration of the web application, and not the underlying cloud-based infrastructure.” The incident was an important reminder for all financial institution customers of CSPs that they need their own set of cloud security measures and cannot just rely on the CSP for such security. In Capital One’s case, Thompson was able to gain unauthorized access to Capital One data through a misconfigured web-application firewall, and Capital One’s failure to meet shared responsibility protocols when working with a CSP.
Capital One’s security response occurred quickly and indicated adoption of a rapid escalation process. Capital One initially discovered the hack from a tip sent to Capital One’s vulnerability disclosure email inbox. Capital One contacted the FBI early in response to the detection of the hack. Within 12 days, the FBI arrested Thompson.
The Capital One – AWS breach underscores the dangers of cyber hacks of financial institutions that rely on cloud computing providers (“CSPs”).
In a recent article, Carlo Massimo from Information Week, noted that “[t]he US, UK, and EU are all weighing regulations that would consider cloud companies ‘critical infrastructure’ and require they meet resiliency standards.” Carlo Massimo’s article hit the nail right on the head.
In a recent study, the Cloud Security Alliance found that 91 percent of financial services organizations are using cloud services or plan to use then within six to nine months, a number that is double what was reported four years ago. Yet, regulators appear to be moving slowly to respond to this fast-moving transformation and change in the risk landscape.
Banking regulators have not reacted to this significant trend in cloud computing services and data storage. While financial institutions are subject to elaborate risk assessment and security requirements, banking regulators need to respond and outline appropriate security refinements for financial institutions, including breach detection, security protocols and escalation procedures so that time is not wasted once an incident occurs.
In his article, Carlo Massimo, noted that, in response to the Capital One breach, “Representatives Katie Porter (CA-D) and Nydia M. Velázquez (NY-D) wrote the Financial Stability Oversight Council at the Treasury, demanding that cloud storage in the financial industry be counted as systematically important financial market utilities (SIFMUs), as defined by the Dodd-Frank Act.” This designation, Carlo Massimo noted, “would allow the Federal Reserve ‘to prescribe risk management standards’ and ‘conduct examinations of’ these service providers.”
In the absence of regulatory intervention in this area, financial institutions have to re-examine their cyber defenses and reassess how security and operations teams coordinate their activities to ensure data protection. While CSPs have significant obligations in this area to define shared responsibilities, financial institutions have to identify and respond to potential risks so that they can avoid the devastating consequences from a serious data breach stemming from their cloud-based operations. Financial institutions should implement a preventative security strategy involving encryption, vulnerability assessments and consistent configurations. Third-party security and monitoring capabilities are important to leverage with CSP-based security protocols.
The financial industry will have to prove to regulators that they understand and have implemented effective risk management. If financial institutions fail to act, rest assured regulators will intervene with a detailed and comprehensive regulatory regime governing the CSP environment.