Skip to content
CBCyber Breaches
Search
Vulnerability exploitResolved

Capital One cloud misconfiguration breach

Former AWS engineer Paige Thompson exploited a misconfigured Web Application Firewall to extract personal data on roughly 106 million Capital One credit-card applicants and customers from S3.

Victim
Capital One Financial Corporation
Loss
$270.0M
records
106.0M
users
106.0M
SectorFinance
CountryUnited StatesCanada
Threat actorPaige Thompson (lone actor)
Named attackersPaige Thompson

On 29 July 2019, Capital One Financial Corporation disclosed that a former Amazon Web Services engineer had extracted personal information on approximately 106 million U.S. and Canadian credit-card applicants and customers from the bank's AWS-hosted S3 buckets. The breach was unusual in two respects: the attacker was a lone individual, and the data had never been monetised or further distributed.

It became the canonical case for cloud-misconfiguration risk in financial services.

What happened

Paige Thompson, a former AWS engineer working independently, scanned the public internet in March 2019 for misconfigured AWS Web Application Firewall (WAF) instances. She was specifically hunting for WAFs whose IAM roles had been granted excessive privileges β€” a deployment pattern that turns a routine WAF into a path to the broader AWS tenant.

She found one at Capital One. The bank's WAF, deployed on EC2, had been configured with an IAM role permitting it to list and read S3 objects across Capital One's AWS tenant. The WAF itself did not have a vulnerability per se; the misconfiguration was the IAM scope. Thompson:

  1. Identified the WAF as exploitable via server-side request forgery (SSRF) against the EC2 metadata service.
  2. Retrieved temporary IAM credentials by tricking the WAF into making a request to http://169.254.169.254/latest/meta-data/iam/security-credentials/.
  3. Used those credentials with the AWS CLI to list and read Capital One's S3 buckets.
  4. Exfiltrated data including:
    • ~100 million U.S. credit card applicants (names, addresses, phone numbers, emails, dates of birth, income, credit scores, fragments of payment information).
    • ~6 million Canadian customers with similar fields.
    • ~140,000 U.S. Social Security Numbers that had been retained in old credit applications.
    • ~80,000 U.S. bank account numbers.
    • ~1 million Canadian Social Insurance Numbers.

The breach took place between 22 and 23 March 2019.

Discovery

Thompson made no attempt to monetise or further distribute the data. Instead, she posted about her access openly on Slack groups for security researchers, public GitHub repositories that listed the exfiltrated S3 bucket names, and Twitter under the handle @0xA3A97B6C.

A security researcher who saw her posts notified Capital One via the bank's responsible disclosure programme on 17 July 2019. Capital One investigated within 48 hours, confirmed the breach, contacted the FBI on 19 July, and on 29 July simultaneously made the public disclosure as Thompson was arrested at her Seattle residence.

Impact

  • ~106 million customers had personal information exposed.
  • $80 million OCC civil money penalty in August 2020 β€” at the time, the largest cybersecurity-related civil penalty levied by a U.S. banking regulator.
  • $190 million class-action settlement approved in December 2021.
  • Direct remediation, customer notification, and credit-monitoring costs: ~$100 million.
  • Total disclosed costs: ~$270M+ before insurance recovery.

Why it matters

Capital One is the canonical case for cloud-misconfiguration risk in regulated industries. It established:

  • That IAM role over-privileging is a real-world breach vector at scale. The WAF in question worked exactly as Capital One had designed it; the design was the vulnerability.
  • That server-side request forgery is a primary cloud-tenancy threat β€” exploitable because the cloud metadata service is reachable from any process that can be tricked into making an HTTP request, and grants credentials with no out-of-band authentication.
  • That regulator response to cloud breaches is now substantive: the OCC's $80M penalty cited specific cloud-security control weaknesses, not just "the breach happened."
  • That lone-actor cloud breaches can scale to the same magnitude as state-sponsored or organised criminal operations β€” given a sufficient cloud misconfiguration.

AWS subsequently shipped IMDSv2 (mandatory session-based metadata access) in November 2019, specifically motivated by the Capital One case. IMDSv2 prevents the exact SSRF chain Thompson used. Adoption across enterprise AWS estates has been slow; the vulnerability class persists in older deployments.

Financial impact

Reported costs in USD

Total reported loss
270.0M
USD Β· $270,000,000
  • Remediation$100.0M
  • Fines & settlements$270.0M

Timeline

  1. Paige Thompson scans the public internet for misconfigured AWS Web Application Firewall instances. She identifies Capital One's WAF as exploitable via SSRF against the EC2 metadata service.

  2. Thompson uses the SSRF to retrieve temporary IAM credentials from Capital One's WAF and uses them to list and read Capital One S3 objects.

  3. Thompson exfiltrates personal data on approximately 106 million Capital One credit card applicants and existing customers.

  4. Thompson posts about the breach openly on Slack, GitHub, and Twitter under the handle 'erratic'. The exfiltrated bucket names appear in her public GitHub repositories.

  5. A security researcher who saw Thompson's posts notifies Capital One via the bank's responsible disclosure programme.

  6. Capital One contacts the FBI.

  7. Capital One publicly discloses the breach the same day Thompson is arrested at her Seattle residence.

  8. OCC announces an $80 million civil money penalty against Capital One for unsafe banking practices related to the breach.

  9. $190 million class action settlement approved.

  10. Federal jury in W.D. Wash. finds Thompson guilty on 5 of 7 counts.

  11. Thompson sentenced to time served + 5 years probation.

Sources

  1. justice.govhttps://www.justice.gov/usao-wdwa/pr/seattle-tech-worker-arrested-data-theft-involving-large-financial-services-company
  2. occ.treas.govhttps://www.occ.treas.gov/news-issuances/news-releases/2020/nr-occ-2020-101.html
  3. krebsonsecurity.comhttps://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/

Related incidents