Capital One Data Breach and Cloud Security

Dob Todorov, CEO & Chief Cloud Officer of HeleCloud, 5 Aug 2019

In two separate press releases [1] & [2], Capital One announced a security incident and a data breach involving a large amount of customer data, including credit card information and personal information, stored on the AWS Simple Storage Service (S3). The announcements stirred a lot of media interest as well as a broad set of statements and interpretations from various media outlets and individuals, going all the way to declarations that Cloud is not secure and is not suitable for storing confidential information.
We at HeleCloud believe it is important to separate the facts from the opinions, whether they are supportive of Cloud as a secure platform or otherwise. Security incidents happen every day, in Cloud and in conventional datacentres. Some of these incidents get detected; unfortunately, most don’t. The root cause of such incidents may be in technologies and their configuration, in processes, which support insecure practices, or in people, who lack the knowledge, skills and experience, or maybe unwittingly or deliberately behaving in an insecure fashion. All of these aspects need to be taken into consideration as we look into the security of a system, whether in the Cloud or on-premises. In Security, one is as weak as their weakest link, thus none of these aspects can be ignored or underinvested.

  • Given the above, HeleCloud Security & Compliance experts have consistently insisted on the following security principles:
  • Security & Compliance require a holistic approach – people, processes, technologies
  • Minimising the impact of the human element – whether deliberate action or human error is possible to a large degree and requires automation. The more automation is involved, the more secure is the system; Detection is important: not knowing that an incident has happened does not eliminate the incident or its impact. Unfortunately, many organisations don’t even detect such incidents;
  • Security is an ongoing requirement: one needs to become secure and ensure that they maintain a secure state continuously for the whole life span of the system;
  • Encryption is not a solution to every security requirement; it is a solution to a very specific requirement – confidentiality. Just because they are encrypting data, with whatever algorithms or keys, does not make systems more secure.

Cloud, and the AWS platform, in particular, provide an unprecedented level of security through the visibility, audibility and control of access to all infrastructure components and Cloud-native applications. Cloud and the API nature of access to Cloud services facilitate the highest level of automation possible in IT today. Through its more than fifty industry and regulatory certifications and accreditations, the AWS platform is unrivalled for the security standards that it meets, far ahead of any on-premises solution. This is possible through the high degree of automation, as well as standardisation, and the sheer scale of the platform. Yet such a powerful and natively secure platform still requires organisations to architect solutions on it, configure it and manage it in a secure fashion; the Security of the Cloud is the responsibility of AWS, however, Security IN the Cloud is the responsibility of the users. HeleCloud Professional Services teams have been working with customers and partners for the last three years to help them design and implement such solutions by taking a holistic and highly automated approach and working against a secure and compliant target operating model (TOM). HeleCloud Managed Services provide continuous real-time monitoring, incident response and remediation to ensure the highest security standards on an ongoing basis. We practice what we preach.
To the extent that information is available on the Capital One security breach, it appears that:

  • An Amazon S3 bucket containing personal information had data encrypted, however with a default key, and not with individual user keys; such encryption often only has the effect of protection from the underlying platform, which has limited value as an organisation running applications on AWS by and large trusts AWS; Capital One seems to have enabled encryption and assumed that it protects against unauthorised access, which is an obvious mistake. Focusing on encryption often provides a false sense of protectedness.
  • Specific AWS S3 access control policies were not configured properly, thus allowing either anonymous access from the Internet or by using application credentials with wider than required access permissions. It is exactly through access policies that one protects their resources on Amazon S3. Standard policies exist and can be applied to avoid this mistake, and for custom policies, AWS provides both manual and automated testing tools.
  • Monitoring for authorised access, use of specific privileges and unauthorised access attempts was not configured properly from a technical and likely – from a process perspective. Data were accessed in March 2019 yet Capital One only uncovered the incident in July 2019. It seems that access logs were available. Given the visibility that AWS services provide in terms of access, including real-time monitoring, it seems that Capital One has made a significant omission otherwise they would have detected, and likely – contained the incident in real-time. Such capabilities don’t exist outside the AWS platform, so having the capabilities and not using them is unacceptable.

In their statement, Capital One recognised the limitations of their specific implementation and confirmed that the mistakes and omissions made were due to their own configuration of the AWS platform. Such mistakes and omissions would have let to similar impact even if their systems were located in conventional datacentres: “This type of vulnerability is not specific to the cloud. The elements of infrastructure involved are common to both cloud and on-premises data centre environments.” We fully agree with this statement.
Cloud is a very powerful IT delivery platform and a very secure one. Organisations must ensure that they’ve got the knowledge and experience in configuring the AWS platform to their needs, and if they do so – they will be more secure than anywhere else.

[1] Information on the Capital One Cyber Incident –
[2] Capital One Announces Data Security Incident –