On November 15, plaintiffs Broderick et al filed a class action complaint against Capital One (Broderick et al v. Capital One et al 1:19-cv-01454-TSE-JFA) alleging violations of the Racketeer Influenced and Corrupt Organizations (RICO) Act, fraud, unjust enrichment, and a variety of state law claims. The suit arose from a data breach of highly sensitive customer information that was revealed this summer. The plaintiffs are represented by Pierce Bainbridge.
According to Capital One, sensitive information of about 100 million people in the United States and an additional six million in Canada have been affected by the breach in Capital One’s customer database, powered by Amazon Web Services. In July, Capital One announced the security breach although the attack occurred in March.
The breach was caused by a former Amazon Web Services employee, who has since been arrested and indicted. According to the complaint, Amazon and Capital One conducted a “massive migration of highly sensitive data to a public cloud under the cover of false statements and Potemkin security software that Capital One and Amazon jointly created and jointly marketed to customers, regulators, and to the public as a means of keeping the data safe. But it was all a lie – and unbelievably, the precise conditions created by Defendants that gave rise to the March data theft persist to this day.”
“As a result of these lies… [Plaintiffs’] sensitive personal data was being pooled in a giant ‘data lake’ on the world’s most notoriously insecure public cloud, trawled by machine learning tools while at risk of theft via a well-known, unfixed Server Side Request Forgery (“SSRF”) attack vector…That unsafe aggregation of data is not a bug; it is a feature. It is how Capital One makes money, and it is how Amazon sells its cloud computing services. Without years’ worth of aggregated customer data, both companies would lose a competitive advantage.”
“AWS servers, unlike those run by its competitors (e.g., Google), were not secured against an SSRF attack, which would allow an attacker to get inside a firewall and make requests to the data lake, including requests to pipe the data outside of the firewall to a third-party server.” The complaint alleged that Capital One ignored this security risk.
Capital One created Cloud Custodian, software which allowed it to set specific rules and roles for computers. This software would grant the minimum amount of access necessary to complete a task in order to minimize a security breach. However, the software did not remove the risk of a data breach inherent in having large amounts of data aggregated on a public cloud server. While many financial institutions use private servers, owned and operated by the institution, Capital One contracted this infrastructure out to Amazon servers.
As a result, Consumers were only protected from SSRF attacks by a firewall. Other cloud providers have other precautions to ensure that requests from outside the firewall cannot be used to access information inside the firewall; according to the complaint, AWS has not implemented these additional precautions.
The complaint stated that “[t]he net effect is that once an attacker obtains access to a server or system inside an AWS firewall, such as a firewall that protects a customer-facing web application, the attacker has access to all the data available to that server or system. If the attacker obtains access to a single system that can assume a broad IAM role that permits it to access to the data lake, such as those that conduct machine learning tasks, all of that data can be transferred outside of the firewall at will.”
The data breach occurred in March, but “it wasn’t until a July 2019 email from a third party that Capital One realized that it had suffered from the devastating attack. It was clear that Cloud Custodian was either a sham, designed to lull customers and regulators into a false sense of security, or it was never configured to limit access to years of historical data and found no anomalies to detect. Either way, all of Capital One and AWS’s statements about Cloud Custodian were revealed to have been false and misleading.”
Plaintiffs entrusted Capital One with sensitive information when applying for credit cards. It was in the application process that a loophole existed and an attack was possible.
The complaint further explained how the data breach occurred in light of the flaws of machine learning. The complaint alleged that Capital One knew the risk of pooling large amounts of data, yet did nothing to secure user data and prevent a data breach.
“Capital One may have sealed the particular hole in its firewall that the hacker used, but the vulnerability is an inherent part of its architecture. That is, the very same design that allowed resources to share pools of sensitive customer data using broad IAM roles was the reason the hacker was able to compromise so much data once inside the firewall. That problem had not been fixed and Capital One knew it.” “AWS was not compromised in any way and functioned as designed,” an Amazon representative stated. “The perpetrator gained access through a misconfiguration of the web applications and not the underlying cloud-based infrastructure. As Capital One explained clearly in its disclosure, this is type of vulnerability is not specific to the cloud.”