Capital One Announces Data Security Incident
press.capitalone.com> We believe that a highly sophisticated individual was able to exploit a specific configuration vulnerability in our infrastructure. When this was discovered, we immediately addressed the configuration vulnerability and verified there are no other instances in our environment.
In other words, someone didn't put a password on their S3 database exposed to the internet...
S3 is not a database, but that's not the point. As explained by Capital One, the attacker gained access through a misconfigured web app. This could have happened on any platform (on-premise or cloud), and the underlying AWS services weren't compromised in any way.
They would probably argue S3 is a product targeted at sophisticated people, by virtue of knowing how S3 operates you are sophisticated.
From reading news sites they were compromised by an Amazon employee, exploiting a bad WAF role.
An ex-AWS employee, who left 3 years before the facts took place.
> No bank account numbers or Social Security numbers were compromised, other than: About 140,000 Social Security numbers of our credit card customers About 80,000 linked bank account numbers of our secured credit card customers
This kind of double speak should double their fine.