Going by the online handle “erratic,” a former Amazon software engineer conducted an extensive hacking scheme that gave her access to the personal information of tens of millions of Capital One customers, a Seattle jury determined this spring. She’s set to be sentenced this month, and compliance expert Michael Volkov explores the regulatory consequences of her case.
Paige Thompson, a former Amazon Web Services employee, was recently convicted of seven counts of fraud in U.S. District Court for stealing personal data of millions of people from unsecured accounts stored on the tech giant’s cloud service. Sentencing is scheduled for later this month.
Thompson used a tool she built to search for misconfigured AWS accounts and then used those accounts to hack the data of more than two dozen entities, including Capital One bank, which was fined $80 million and later settled customer lawsuits totaling nearly $200 million.
This incident is an important reminder for all financial institutions that are customers of cloud service providers (CSPs) that they need their own set of cloud security measures and cannot rely solely on the CSP for such security. In Capital One’s case, Thompson was able to gain unauthorized access to customer data, which included Social Security numbers and bank account information, through a misconfigured web-application firewall.
Capital One’s security response was quick and indicated adoption of a rapid escalation process. The company discovered the hack from a tip sent to Capital One’s vulnerability disclosure email inbox and subsequently contacted the FBI, which had Thompson in custody within 12 days.
Despite Capital One’s quick response, this case underscores the dangers of cyber hacks of financial institutions that rely on cloud computing providers.
Two years ago, a Cloud Security Alliance found that 91% of financial services organizations were currently using cloud services or planned to within nine months, and while that survey is now a couple of years old, that figure is no doubt even higher. Despite this, regulators appear to be moving slowly to respond to this fast-moving transformation in the risk landscape.
Though there are stirrings of movement in the right direction, banking regulators have not reacted to this significant trend in cloud computing services and data storage. While financial institutions are subject to elaborate risk assessment and security requirements, banking regulators need to respond and outline appropriate security refinements for financial institutions, including breach detection, security protocols and escalation procedures so that time is not wasted once an incident occurs.
In the absence of regulatory intervention in this area, financial institutions have to re-examine their cyber defenses and reassess how security and operations teams coordinate their activities to ensure data protection.
While CSPs have significant obligations in this area to define shared responsibilities, financial institutions must identify and respond to potential risks so that they can avoid the devastating consequences from a serious data breach connected to their cloud-based operations. Financial institutions should implement a preventive security strategy involving encryption, vulnerability assessments and consistent configurations. Third-party security and monitoring capabilities are important to leverage with CSP-based security protocols.
The financial industry will have to prove to regulators that they understand and have implemented effective risk management. If financial institutions fail to act, rest assured regulators will intervene with a detailed and comprehensive regulatory regime governing the CSP environment.