For those who came in late, earlier this year Credit card outfit Capital One was attacked and sensitive financial data from over 106 million customers nicked and made freely accessible on the web for weeks.
Vincentas Grinius, CEO of Heficed, a provider of dedicated server solutions said the hack was baffling.
“Very little hacking was involved, the alleged criminal exploited insider knowledge that was not revised or updated for years, and the crime was only noticed after she posted about it repeatedly on the internet.”
Now it seems that the alleged hacker, Paige Thompson, had previously worked as a systems engineer at Amazon.com. Aside from trading goods, the retail giant also offers its infrastructure for cloud computing solutions, in the case of Capital One for data storage. Thompson quit the job almost three years ago according to her Linkedin profile.
It seems that she gained inside knowledge during her time with Amazon that allowed her to access the cloud data storage, not only after she left the company, but even earlier this year still. This means that there were no substantial upgrades made to the Amazon cloud’s inner workings during that time.
Cloud servers have distinct advantages, but also suffer from disadvantages, particularly in a large-scale corporate context. Specifically, companies of Amazon’s size often cannot offer dedicated servers, which alleviate many of those disadvantages.
“Smaller companies can offer dedicated servers, meaning that they are used by one client only and can be completely customized according to the client’s wishes. Not only that, companies of our size create a personal rapport with the client, which is practically non-existent when talking about huge providers”, Grinius adds.
The recent reports further revealed that Thompson announced her crime before the fact. She was avidly active on numerous message boards and even posted on Twitter about a number of companies whose data she thought was in danger of exposure due to faulty Amazon technology. By the time she made those claims, she had already had access to the Capital One customer data in question for three months.
This boasting as well as the security flaws that must clearly have existed simply went under the radar. “Perhaps it is simply impossible for an organisation of Amazon’s size to pay attention to these seemingly small details, but the outcome has shown how important such oversight is”, said Grinius. “Niche providers cannot afford any carelessness, because the web hosting business is our lifeblood. Amazon, on the other hand, has many areas of operation it can survive on.”
The Capital One case shows the dangers of using shared servers that are in the hands of very large corporations more than anything.
The maintenance of dedicated client servers requires a level of detail orientation that large corporate providers often cannot provide. “A dedicated server would have been constantly monitored for potential security breaches. Someone would have picked up on the leaks in the cloud, or on the threats of exposing the client’s data on twitter, or at the very latest on the actual user data being posted on Github”, concluded Grinius. “In this case, Capital One only learned of the breach when an unrelated user sent an email alerting them of their data being openly accessible.” Along the entire process, Amazon remained unaware.