Update: At about 4pm, UpGuard altered a report referenced in this story to emphasize the software vendor Birst’s control and ownership of the leaked data. Gizmodo updated the article’s headline accordingly.
One of America’s largest banks was left exposed after a software vendor reportedly transferred files destined for the bank’s network to an unsecure Amazon server, security experts say.
Administrative credentials, passwords, and private keys assigned to Capital One, the nation’s eighth-largest commercial bank, were discovered by researchers last month on a publicly accessible cloud-based server hosted by Amazon.
While raising the possibility of threat actors obtaining credentials needed to access internal cloud software, the researchers, working out of the California-based security firm UpGuard, said the exposure mostly underscores the risks companies adopt when giving third-party vendors access to sensitive data.
The leak, which did not contain any customer data, was not the fault of Capital One, according to UpGuard, but of Birst, a business analytics software provider contracted by the bank.
“At no time was any Capital One information exposed,” the bank said in a statement. “This was simply an instance of a vendor’s software that was hosted in their cloud environment. As a matter of standard practice, Capital One changes all default settings, including credentials, prior to deploying third party software. Because of this, there is no impact to the security of Capital One systems and data.”
“Birst’s appliances provide security advantages that would normally protect against precisely this kind of cloud leak,” UpGuard said. “By entirely cutting the on-premise Birst cloud environment off from access to the wider internet, security misconfigurations resulting in the exposure of critical information would not be possible.”
In other words, Brist made its own considerable security controls irrelevant by copying Capital One’s data to an Amazon server—an S3 bucket it didn’t equip with so much as a password.
The data was found by UpGuard on January 15th and secured the same day, the firm said. Capital One was notified that roughly 50GB worth of data ostensibly belonging to the bank was exposed—the researchers noted that the server’s subdomain was named “capitalone-appliance”—and it acted quickly to secure the data.
Regarding the most sensitive data, UpGuard reports:
A number of exposed files concern internal access. A file titled Client.key, an encryption key likely used for decrypting data if removed from the appliance, is stored alongside the same encrypted appliance – defeating any tangible benefits of such a protection, as if a lock and its key were stored together. Also revealed in the bucket are the username and hashed password used for administering appliance databases.
To take advantage of the find, a malicious actor would first need to compromise Capital One’s network; the data contained in the server would not alone help accomplish that, the researchers said. The leak would, however, multiply “the effect of any successful attacker,” Upguard said, “whether through phishing, malware, social engineering, or insider threat.”
“In a typical breach, attackers must perform considerable reconnaissance to successfully navigate inside a target’s environment,” the firm said. “With the information exposed in this bucket, an attacker would have a roadmap of where to find data on infrastructure, sales forecasts, and product development.”
Amazon Web Services has taken great strides to help improve the security of its cloud environment; S3 buckets, for instance, are encrypted by default. The company seems aware that its cloud service has been the source of countless leaks, but there’s only so much Amazon can do: Ultimately, the responsibility of keeping data secure falls on the individual or company configuring the storage device.
Since Amazon launched a host of new security features in November, data breach hunters informed told Gizmodo they’ve seen little to no drop in the number of sensitive leaks. Amazon’s clients are simply failing to utilize the security features available to them—likely because it’s more convenient not to, but also because they don’t realize how painless it is for hackers to locate and collect their exposed data.
Update, 4:12pm: Capital One has adamantly denied that any of the data, leaked by a third-party vendor, ever posed a threat to its internal network or customers. Bank officials have taken issue with how UpGuard characterized the seriousness of the leak and consider the security firm’s assessment inaccurate, Gizmodo has learned.
It is possible that any passwords contained in the leak may have been changed upon installation of Birst’s software—although other types of credentials were exposed, including encryption keys. As UpGuard reported, the leak also included “configurations critical to the cloud appliance” and “IP addresses and ports used for communication within that environment.”
When asked, the bank did not immediately take issue with any specific details contained in the UpGuard report—other than the fact that the leak was depicted as a “critical” exposure.
Capital One said it would issue a statement shortly and Gizmodo has asked UpGuard for a response.
Update, 4:54pm: Statement added from Capital One.
Correction: The previous headline said “Capitol One’s data got exposed.” However, the bank says the exposed data may have been altered by the bank prior to its use, and the security researchers altered their report about the incident to de-emphasize the bank’s possession of the data in question.