.png)
Capital One Data Breach 2019
Breach Summary
The Capital One breach of 2019 exposed 106 million customers' financial applications through a misconfigured Web Application Firewall in Amazon Web Services. It became the defining case for cloud security misconfiguration liability and resulted in the first major CISO-level criminal indictment related to a cloud breach at a different organization.
What Happened
Paige Thompson accessed Capital One's AWS environment beginning March 22, 2019, downloading data from more than 700 S3 buckets over several months. She disclosed the breach on a hacking forum in July 2019. A GitHub user who saw the post notified Capital One. Capital One disclosed the breach July 29, 2019 and notified the OCC. Thompson was arrested July 29, 2019. She was convicted in June 2022 on computer fraud charges.
Attack Vector Detail
The attacker, a former AWS engineer named Paige Thompson, exploited a Server-Side Request Forgery (SSRF) vulnerability enabled by a misconfigured WAF in Capital One's AWS environment. The SSRF allowed her to query the AWS metadata service from the WAF's trusted position, obtaining temporary AWS credentials for an IAM role. That IAM role had excessive permissions — it could list and read from S3 buckets containing customer application data. The attacker used those credentials to access more than 700 S3 buckets and download 106 million records.
The misconfiguration allowed any server that could reach the metadata endpoint to obtain temporary credentials. The WAF's trusted network position made the exploitation straightforward once the SSRF was identified.
Breach Pattern Timeline
March 22, 2019
Per the federal indictment, Paige Thompson — a former AWS engineer operating under the handle 'erratic' — exploits a misconfigured Web Application Firewall (WAF) in Capital One's AWS environment using Server-Side Request Forgery (SSRF).
March-April 2019
Thompson uses the SSRF exploit to access AWS instance metadata service, retrieve IAM role credentials, and use those credentials to list and download data from S3 buckets containing 106 million credit card application records.
July 17, 2019
Capital One receives a tip via email about Thompson's GitHub Gist publicly posting evidence of the breach. Internal investigation confirms scope within 48 hours.
July 29, 2019
FBI arrests Paige Thompson in Seattle. Capital One publicly discloses the breach affecting 100 million U.S. and 6 million Canadian customers.
August 6, 2020
OCC announces $80 million civil money penalty against Capital One — the first major bank cybersecurity penalty under the OCC's authority.
December 2021
Capital One settles class action for $190 million.
June 17, 2022
Paige Thompson convicted of wire fraud and Computer Fraud and Abuse Act violations following federal trial in Seattle.
October 4, 2022
Thompson sentenced to time served plus 5 years probation — sentence widely viewed as lenient, drawing criticism from prosecutors who had requested 7 years.
2022-2024
Capital One restructures cloud security architecture and becomes vocal industry advocate for cloud security best practices. The breach becomes the foundational case study for AWS metadata service IMDSv2 adoption industry-wide.
Total impact: 106 million records exposed, $80M OCC penalty + $190M class action settlement, AWS IMDSv2 industry adoption directly attributable to this case.
Executive Lessons
Capital One established that cloud misconfiguration — specifically an overpermissioned EC2 instance role combined with an SSRF vulnerability in a WAF — can result in the exfiltration of 100 million customer records without any credential theft or zero-day exploitation. The breach also generated the first major individual criminal conviction of a cloud misconfiguration attacker and significant regulatory action by the OCC demonstrating that financial regulators treat cloud security failures as safety and soundness violations.
Related Reading
Private Equity Implications
For PE-backed financial services and any portfolio company operating in AWS, the Capital One breach established that cloud misconfiguration at the IAM and WAF layer represents material regulatory and legal liability. Cloud Security Posture Management is not optional for companies holding consumer financial data in cloud environments.