In March 2019, Paige Thompson, a former Amazon Web Services engineer, exploited a misconfigured web application firewall (WAF) protecting Capital One’s AWS environment to execute a server-side request forgery (SSRF) attack. The attack yielded access to 14 years of credit card application data covering 106 million individuals in the United States and Canada, including 140,000 Social Security numbers and 80,000 linked bank account numbers.
Key Facts
- WhatFormer AWS engineer exploited misconfigured WAF to steal Capital One data.
- Who106 million U.S. and Canadian credit card applicants over 14 years.
- Data ExposedSSNs, bank account numbers, credit scores, and application records.
- Outcome$80M OCC fine, $190M class action settlement, and criminal conviction.
What Was Exposed
- Names, addresses, dates of birth, and self-reported income for 106 million credit card applicants spanning 2005 to 2019
- Approximately 140,000 Social Security numbers from U.S. applicants
- Approximately 80,000 linked bank account numbers
- One million Social Insurance Numbers from Canadian applicants
- Credit scores, credit limits, balances, payment history, and contact information
- Fragments of transaction data including dates, amounts, and merchant categories
- 23 days of credit card application data including applicant-submitted financial details
The breadth of the exposed dataset was extraordinary. Fourteen years of credit card application data constituted a comprehensive financial profile for each affected individual, revealing not only their identity but their income trajectory, creditworthiness, spending patterns, and banking relationships.
For the 140,000 individuals whose Social Security numbers were exposed alongside this financial data, the breach provided everything needed for sophisticated financial fraud, synthetic identity creation, and targeted social engineering.
The Attack: SSRF Through a Misconfigured WAF
Thompson’s attack exploited a chain of misconfigurations in Capital One’s AWS deployment. The attack began with a server-side request forgery (SSRF) vulnerability in a misconfigured ModSecurity web application firewall that Capital One had deployed on an EC2 instance.
The WAF had been configured with excessive IAM role permissions, granting it access to S3 buckets containing sensitive data far beyond what was necessary for its traffic-filtering function.
By sending crafted HTTP requests to the WAF, Thompson was able to trick it into querying the AWS Instance Metadata Service (IMDS), which returned temporary security credentials associated with the WAF’s IAM role. These credentials provided access to S3 buckets containing Capital One’s credit card application data.
Thompson used the credentials to list the contents of more than 700 S3 folders and buckets and to download the data stored within them.
Thompson’s inside knowledge of AWS architecture was instrumental in the attack. As a former AWS systems engineer who had worked on the S3 storage service, she understood the metadata service, IAM role assumptions, and S3 bucket access patterns intimately. However, the vulnerabilities she exploited were not obscure or novel-SSRF attacks against cloud metadata services were well-documented in the security community, and AWS had published guidance on mitigating them.
The breach was discovered not through Capital One’s security monitoring but through a tip from an external researcher. On July 17, 2019, a security researcher discovered that Thompson had been publicly boasting about the breach on social media and in Slack channels under the handle “erratic.” The researcher reported the information to Capital One, which confirmed the unauthorized access and notified the FBI. Thompson was arrested on July 29, 2019.
Regulatory Analysis
OCC Consent Order and $80 Million Fine: The Office of the Comptroller of the Currency, Capital One’s primary banking regulator, issued a consent order and an $80 million civil money penalty in August 2020. The OCC found that Capital One had:
- Failed to establish effective risk assessment processes prior to migrating significant IT operations to the public cloud
- Failed to implement appropriate network security and data loss prevention measures
- Operated with numerous internal audit weaknesses related to cloud governance
The OCC’s enforcement action was notable for its specific focus on cloud security governance. The consent order required Capital One to develop and submit a comprehensive cloud security plan addressing IAM policies, network configuration management, data classification and protection, vulnerability management, and security monitoring.
This was one of the first major U.S. banking regulatory actions to address cloud-specific security failures, establishing that moving to the cloud does not diminish a bank’s responsibility for securing its data.
GLBA Safeguards Rule: As a bank holding company, Capital One is subject to the Gramm-Leach-Bliley Act’s Safeguards Rule, which requires financial institutions to develop, implement, and maintain a comprehensive information security program. The SSRF vulnerability in the WAF, the excessive IAM permissions, and the failure to implement IMDSv2 constituted failures under the Safeguards Rule’s requirement for reasonable security measures.
National Bank Act: The OCC’s authority to impose the $80 million civil money penalty derived from the National Bank Act, which empowers the OCC to assess penalties for violations of federal banking regulations. The penalty reflected the severity of the security failures, the volume and sensitivity of the exposed data, and Capital One’s position as one of the largest banks in the United States.
Federal Reserve Board: Separately from the OCC action, the Federal Reserve Board issued a cease-and-desist order requiring Capital One to improve its risk management program, with specific attention to cloud security, data governance, and internal audit functions. The Federal Reserve’s order focused on deficiencies in Capital One’s board-level oversight of information security risk.
State Breach Notification and Class Action: Capital One notified affected consumers across all 50 states and settled a class action lawsuit for $190 million in December 2021. The settlement provided for cash payments to class members, two years of enhanced identity theft protection, and a guaranteed minimum spend on security improvements.
Criminal Prosecution: Paige Thompson was convicted in June 2022 on seven counts of computer fraud and abuse and wire fraud. She was sentenced in September 2022 to time served plus five years of probation and ordered to pay $2.6 million in restitution.
What Should Have Been Done
IMDSv2 Enforcement: AWS released Instance Metadata Service Version 2 (IMDSv2) specifically to prevent SSRF-based credential theft.
IMDSv2 requires session-oriented requests with a PUT method and token header, making it resistant to the type of SSRF attack Thompson used.
Capital One should have enforced IMDSv2 across all EC2 instances. This single configuration change would have prevented the attack entirely.
Principle of Least Privilege for IAM Roles: The WAF’s IAM role had permissions to access S3 buckets containing credit card application data-permissions far beyond what a WAF requires to perform its traffic-filtering function. IAM roles must be scoped to the minimum permissions necessary for their function.
A WAF needs access to its configuration and logging infrastructure, not to customer data storage. Automated IAM access analysis tools, including AWS IAM Access Analyzer, can identify and flag overly permissive role policies.
Cloud Security Posture Management: The misconfigurations that enabled this breach-the SSRF-vulnerable WAF, the overly permissive IAM role, the use of IMDSv1-are the types of issues that cloud security posture management (CSPM) tools are designed to detect.
Continuous automated scanning of cloud configurations against security baselines would have flagged these issues before they could be exploited.
Network-Level Controls for Metadata Access: Beyond IMDSv2, network-level controls can restrict access to the metadata service.
Firewall rules on EC2 instances can block applications from reaching the metadata endpoint (169.254.169.254) unless explicitly required.
This defense-in-depth approach ensures that even if a web application vulnerability allows SSRF, the metadata service is unreachable.
Data Loss Prevention for Cloud Storage: The exfiltration of terabytes of data from S3 buckets should have triggered alerts. Data loss prevention systems that monitor API calls to cloud storage services can detect anomalous download volumes, unusual access patterns, and data movement to unexpected destinations. The OCC specifically cited the absence of effective DLP as a failure in Capital One’s security program.
Pre-Migration Security Assessment: Capital One was widely regarded as a cloud-first financial institution and was frequently cited as a model for banking sector cloud adoption. However, the breach revealed that the speed of cloud migration had outpaced the maturation of cloud-specific security controls. Organizations migrating sensitive workloads to the cloud must conduct rigorous security assessments of their cloud architecture before, during, and after migration.
The Capital One breach demonstrated that cloud migration does not transfer security responsibility to the cloud provider. A single misconfigured WAF with excessive permissions exposed 106 million records spanning 14 years, resulting in $80 million in regulatory fines, $190 million in class action settlements, and a federal criminal conviction. For every organization operating in the cloud, Capital One is proof that misconfigured IAM roles and unprotected metadata services are not theoretical risks-they are active attack surfaces that adversaries will find and exploit.