.png)
Capital One Data Breach 2019
Breach Summary
The Capital One breach of 2019 exposed 106 million customers' financial applications through a misconfigured Web Application Firewall in Amazon Web Services. It became the defining case for cloud security misconfiguration liability and resulted in the first major CISO-level criminal indictment related to a cloud breach at a different organization.
What Happened
Paige Thompson accessed Capital One's AWS environment beginning March 22, 2019, downloading data from more than 700 S3 buckets over several months. She disclosed the breach on a hacking forum in July 2019. A GitHub user who saw the post notified Capital One. Capital One disclosed the breach July 29, 2019 and notified the OCC. Thompson was arrested July 29, 2019. She was convicted in June 2022 on computer fraud charges.
Attack Vector Detail
The attacker, a former AWS engineer named Paige Thompson, exploited a Server-Side Request Forgery (SSRF) vulnerability enabled by a misconfigured WAF in Capital One's AWS environment. The SSRF allowed her to query the AWS metadata service from the WAF's trusted position, obtaining temporary AWS credentials for an IAM role. That IAM role had excessive permissions — it could list and read from S3 buckets containing customer application data. The attacker used those credentials to access more than 700 S3 buckets and download 106 million records.
The misconfiguration allowed any server that could reach the metadata endpoint to obtain temporary credentials. The WAF's trusted network position made the exploitation straightforward once the SSRF was identified.
Breach Pattern Timeline
March 22, 2019
Per the federal indictment, Paige Thompson — a former AWS engineer operating under the handle 'erratic' — exploits a misconfigured Web Application Firewall (WAF) in Capital One's AWS environment using Server-Side Request Forgery (SSRF).
March-April 2019
Thompson uses the SSRF exploit to access AWS instance metadata service, retrieve IAM role credentials, and use those credentials to list and download data from S3 buckets containing 106 million credit card application records.
July 17, 2019
Capital One receives a tip via email about Thompson's GitHub Gist publicly posting evidence of the breach. Internal investigation confirms scope within 48 hours.
July 29, 2019
FBI arrests Paige Thompson in Seattle. Capital One publicly discloses the breach affecting 100 million U.S. and 6 million Canadian customers.
August 6, 2020
OCC announces $80 million civil money penalty against Capital One — the first major bank cybersecurity penalty under the OCC's authority.
December 2021
Capital One settles class action for $190 million.
June 17, 2022
Paige Thompson convicted of wire fraud and Computer Fraud and Abuse Act violations following federal trial in Seattle.
October 4, 2022
Thompson sentenced to time served plus 5 years probation — sentence widely viewed as lenient, drawing criticism from prosecutors who had requested 7 years.
2022-2024
Capital One restructures cloud security architecture and becomes vocal industry advocate for cloud security best practices. The breach becomes the foundational case study for AWS metadata service IMDSv2 adoption industry-wide.
Total impact: 106 million records exposed, $80M OCC penalty + $190M class action settlement, AWS IMDSv2 industry adoption directly attributable to this case.
Executive Lessons
Capital One established that cloud misconfiguration — specifically an overpermissioned EC2 instance role combined with an SSRF vulnerability in a WAF — can result in the exfiltration of 100 million customer records without any credential theft or zero-day exploitation. The breach also generated the first major individual criminal conviction of a cloud misconfiguration attacker and significant regulatory action by the OCC demonstrating that financial regulators treat cloud security failures as safety and soundness violations.
Related Reading
Private Equity Implications
For PE-backed financial services and any portfolio company operating in AWS, the Capital One breach established that cloud misconfiguration at the IAM and WAF layer represents material regulatory and legal liability. Cloud Security Posture Management is not optional for companies holding consumer financial data in cloud environments.
How Cloudskope Can Help
Frequently Asked Questions
What was the Capital One data breach?
A 2019 breach affecting approximately 106 million Capital One customers and credit card applicants in the U.S. and Canada. The attacker, a former Amazon Web Services employee named Paige Thompson, exploited a misconfigured web application firewall in Capital One's AWS environment to access an S3 bucket containing customer data.
How did the Capital One breach happen?
The attacker exploited a server-side request forgery (SSRF) vulnerability in a misconfigured AWS WAF to obtain IAM credentials, then used those credentials to access S3 buckets containing customer data. The misconfiguration had existed in production for an extended period before exploitation.
How much did Capital One pay?
Capital One paid $80 million to the U.S. Office of the Comptroller of the Currency in 2020 — the largest OCC penalty for a cybersecurity-related matter at the time. Capital One also settled class action litigation for $190 million in 2022. Total direct costs including remediation and customer notification exceeded $300 million.
What data was stolen from Capital One?
Approximately 140,000 Social Security numbers, 80,000 linked bank account numbers, and 1 million Canadian Social Insurance Numbers, plus names, addresses, dates of birth, credit scores, and self-reported income data for approximately 106 million applicants and customers. The data covered credit card applications from 2005 through early 2019.
What did Capital One establish for cloud security?
Capital One is the foundational precedent for cloud misconfiguration as a regulator-scrutinized failure category. The OCC penalty specifically cited inadequate cloud security risk assessment, weak change management, and ineffective monitoring of cloud configuration. For executives, the implication is that cloud security cannot be delegated entirely to the cloud provider — customer-side configuration and IAM management are direct organizational responsibilities.