Blog
← Back to Blog
July 30, 2019 cybersecurity

Capital One Breach: 100 Million Records Lost Because of a Cloud Misconfiguration

Cloud security breach analysis Cloud security and data breach concept

Capital One disclosed that a hacker accessed the personal data of approximately 100 million customers and credit card applicants. The data included names, addresses, phone numbers, dates of birth, credit scores, credit limits, balances, and in some cases, Social Security numbers and bank account numbers.

The breach didn't happen because of a sophisticated attack. It happened because of a misconfigured web application firewall in Capital One's AWS cloud environment. A former AWS employee exploited the misconfiguration to access data stored in S3 buckets.

What Happened

  1. Capital One stored customer data in Amazon Web Services (AWS)
  2. A web application firewall (WAF) was misconfigured, allowing server-side request forgery (SSRF)
  3. The attacker exploited the misconfiguration to access AWS metadata credentials
  4. Those credentials provided access to S3 storage buckets containing customer data
  5. The attacker exfiltrated the data and (unusually) posted about it publicly on social media
  6. A tip led to the FBI identifying and arresting the attacker within days

The Cloud Security Lesson

This breach perfectly illustrates the most dangerous misconception about cloud computing: that "in the cloud" means "secure by default."

It doesn't.

AWS, Microsoft Azure, and Google Cloud provide infrastructure security (they protect the data centers, networks, and physical hardware). But the security of your data, applications, and configurations is your responsibility. This is called the Shared Responsibility Model, and most organizations don't understand it.

What the Cloud Provider Secures

  • Physical data center security
  • Network infrastructure
  • Hypervisor and virtualization layer
  • Storage hardware and encryption options

What You Must Secure

  • Access controls and permissions
  • Application configurations
  • Data encryption at rest
  • Network configurations (firewalls, security groups)
  • Monitoring and logging
  • Identity management

Capital One had access to the best cloud security tools in the world. They misconfigured a firewall rule. One misconfiguration, 100 million records.

What This Means for Your Practice

If your practice uses cloud services (and most do: email, backup, PMS, patient portals), you need to understand that cloud security requires active management:

  • Review access controls. Who has admin access to your cloud accounts? Are former employees still listed? Is 2FA enabled?
  • Check storage permissions. Cloud storage (Dropbox, Google Drive, OneDrive, S3) can be accidentally set to public. Verify that shared links and folder permissions are configured correctly.
  • Monitor for unusual activity. Cloud services provide activity logs. Someone should be reviewing them, either your IT provider or a monitoring service.
  • Understand your vendor's security model. Ask cloud-based PMS vendors, patient portal providers, and backup services about their security configurations and your responsibilities within them.

Cloud computing is powerful and, when properly configured, more secure than most on-premise alternatives. But "properly configured" is the key phrase. The cloud doesn't secure itself.