In March 2019, Paige Thompson, a former Amazon Web Services engineer,
exploited a misconfigured web application firewall (WAF) protecting Capital
One’s AWS environment to execute a server-side request forgery (SSRF)
attack. The attack yielded access to 14 years of credit card application
data covering 106 million individuals in the United States and Canada,
including 140,000 Social Security numbers and 80,000 linked bank account
numbers. Capital One was fined $80 million by the Office of the Comptroller
of the Currency, received a Federal Reserve Board cease-and-desist order,
and settled a class action lawsuit for $190 million. Thompson was convicted
of wire fraud and computer intrusion in June 2022.
## Key Facts
- .**What:** Former AWS engineer exploited misconfigured WAF to steal Capital One data.
- .**Who:** 106 million U.S. and Canadian credit card applicants over 14 years.
- .**Data Exposed:** SSNs, bank account numbers, credit scores, and application records.
- .**Outcome:** $80M OCC fine, $190M class action settlement, and criminal conviction.
## What Was Exposed
- .Names, addresses, dates of birth, and self-reported income for 106 million
credit card applicants spanning 2005 to 2019
- .Approximately 140,000 Social Security numbers from U.S. applicants
- .Approximately 80,000 linked bank account numbers
- .One million Social Insurance Numbers from Canadian applicants
- .Credit scores, credit limits, balances, payment history, and contact
information
- .Fragments of transaction data including dates, amounts, and merchant
categories
- .23 days of credit card application data including applicant-submitted
financial details
The breadth of the exposed dataset was extraordinary. Fourteen years of
credit card application data constituted a comprehensive financial profile
for each affected individual, revealing not only their identity but their
income trajectory, creditworthiness, spending patterns, and banking
relationships.
For the 140,000 individuals whose Social Security numbers were exposed
alongside this financial data, the breach provided everything needed for
sophisticated financial fraud, synthetic identity creation, and targeted
social engineering.
## The Attack: SSRF Through a Misconfigured WAF
Thompson’s attack exploited a chain of misconfigurations in Capital One’s
AWS deployment. The attack began with a server-side request forgery (SSRF)
vulnerability in a misconfigured ModSecurity web application firewall that
Capital One had deployed on an EC2 instance.
The WAF had been configured with excessive IAM role permissions, granting
it access to S3 buckets containing sensitive data far beyond what was
necessary for its traffic-filtering function.
By sending crafted HTTP requests to the WAF, Thompson was able to trick
it into querying the AWS Instance Metadata Service (IMDS), which returned
temporary security credentials associated with the WAF’s IAM role. These
credentials provided access to S3 buckets containing Capital One’s
credit card application data.
Thompson used the credentials to list the contents of more than 700 S3
folders and buckets and to download the data stored within them.
Thompson’s inside knowledge of AWS architecture was instrumental in the
attack. As a former AWS systems engineer who had worked on the S3 storage
service, she understood the metadata service, IAM role assumptions, and
S3 bucket access patterns intimately. However, the vulnerabilities she
exploited were not obscure or novel-SSRF attacks against cloud metadata
services were well-documented in the security community, and AWS had
published guidance on mitigating them.
The breach was discovered not through Capital One’s security monitoring
but through a tip from an external researcher. On July 17, 2019, a
security researcher discovered that Thompson had been publicly boasting
about the breach on social media and in Slack channels under the handle
“erratic.” The researcher reported the information to Capital One,
which confirmed the unauthorized access and notified the FBI. Thompson
was arrested on July 29, 2019.
## Regulatory Analysis
**OCC Consent Order and $80 Million Fine:** The Office of the
Comptroller of the Currency, Capital One’s primary banking regulator,
issued a consent order and an $80 million civil money penalty in
August 2020. The OCC found that Capital One had:
- .Failed to establish effective risk assessment processes prior to migrating
significant IT operations to the public cloud
- .Failed to implement appropriate network security and data loss prevention
measures
- .Operated with numerous internal audit weaknesses related to cloud
governance
The OCC’s enforcement action was notable for its specific focus on cloud
security governance. The consent order required Capital One to develop and
submit a comprehensive cloud security plan addressing IAM policies, network
configuration management, data classification and protection, vulnerability
management, and security monitoring.
This was one of the first major U.S. banking regulatory actions to address
cloud-specific security failures, establishing that moving to the cloud
does not diminish a bank’s responsibility for securing its data.
**GLBA Safeguards Rule:** As a bank holding company, Capital One
is subject to the Gramm-Leach-Bliley Act’s Safeguards Rule, which
requires financial institutions to develop, implement, and maintain a
comprehensive information security program. The SSRF vulnerability in
the WAF, the excessive IAM permissions, and the failure to implement
IMDSv2 constituted failures under the Safeguards Rule’s requirement
for reasonable security measures.
**National Bank Act:** The OCC’s authority to impose the $80 million
civil money penalty derived from the National Bank Act, which empowers the
OCC to assess penalties for violations of federal banking regulations. The
penalty reflected the severity of the security failures, the volume and
sensitivity of the exposed data, and Capital One’s position as one of
the largest banks in the United States.
**Federal Reserve Board:** Separately from the OCC action, the Federal
Reserve Board issued a cease-and-desist order requiring Capital One to
improve its risk management program, with specific attention to cloud
security, data governance, and internal audit functions. The Federal
Reserve’s order focused on deficiencies in Capital One’s board-level
oversight of information security risk.
**State Breach Notification and Class Action:** Capital One notified
affected consumers across all 50 states and settled a class action lawsuit
for $190 million in December 2021. The settlement provided for cash
payments to class members, two years of enhanced identity theft protection,
and a guaranteed minimum spend on security improvements.
**Criminal Prosecution:** Paige Thompson was convicted in June 2022
on seven counts of computer fraud and abuse and wire fraud. She was
sentenced in September 2022 to time served plus five years of probation
and ordered to pay $2.6 million in restitution.
## What Should Have Been Done
**IMDSv2 Enforcement:** AWS released Instance Metadata Service
Version 2 (IMDSv2) specifically to prevent SSRF-based credential theft.
IMDSv2 requires session-oriented requests with a PUT method and token
header, making it resistant to the type of SSRF attack Thompson used.
Capital One should have enforced IMDSv2 across all EC2 instances. This
single configuration change would have prevented the attack entirely.
**Principle of Least Privilege for IAM Roles:** The WAF’s IAM
role had permissions to access S3 buckets containing credit card
application data-permissions far beyond what a WAF requires to
perform its traffic-filtering function. IAM roles must be scoped to
the minimum permissions necessary for their function.
A WAF needs access to its configuration and logging infrastructure,
not to customer data storage. Automated IAM access analysis tools,
including AWS IAM Access Analyzer, can identify and flag overly
permissive role policies.
**Cloud Security Posture Management:** The misconfigurations that
enabled this breach-the SSRF-vulnerable WAF, the overly permissive
IAM role, the use of IMDSv1-are the types of issues that cloud
security posture management (CSPM) tools are designed to detect.
Continuous automated scanning of cloud configurations against security
baselines would have flagged these issues before they could be exploited.
**Network-Level Controls for Metadata Access:** Beyond IMDSv2,
network-level controls can restrict access to the metadata service.
Firewall rules on EC2 instances can block applications from reaching
the metadata endpoint (169.254.169.254) unless explicitly required.
This defense-in-depth approach ensures that even if a web application
vulnerability allows SSRF, the metadata service is unreachable.
**Data Loss Prevention for Cloud Storage:** The exfiltration of
terabytes of data from S3 buckets should have triggered alerts. Data
loss prevention systems that monitor API calls to cloud storage services
can detect anomalous download volumes, unusual access patterns, and
data movement to unexpected destinations. The OCC specifically cited
the absence of effective DLP as a failure in Capital One’s security
program.
**Pre-Migration Security Assessment:** Capital One was widely
regarded as a cloud-first financial institution and was frequently
cited as a model for banking sector cloud adoption. However, the
breach revealed that the speed of cloud migration had outpaced the
maturation of cloud-specific security controls. Organizations migrating
sensitive workloads to the cloud must conduct rigorous security
assessments of their cloud architecture before, during, and after
migration.
The Capital One breach demonstrated that cloud migration does not
transfer security responsibility to the cloud provider. A single
misconfigured WAF with excessive permissions exposed 106 million
records spanning 14 years, resulting in $80 million in regulatory
fines, $190 million in class action settlements, and a federal
criminal conviction. For every organization operating in the cloud,
Capital One is proof that misconfigured IAM roles and unprotected
metadata services are not theoretical risks-they are active
attack surfaces that adversaries will find and exploit.