Editor’s note: Security firm UpGuard deleted a report from its website that claimed unsecured data from a third-party software vendor assigned to Capital One could have potentially put the bank at risk. This article has be updated to reflect the report’s deletion as well as additional information made available from all parties following initial publication.
A software vendor left exposed data destined for one of America’s largest banks by storing it on an unsecured Amazon server.
The unsecured data was first revealed in a report published on Wednesday by security firm UpGuard, which removed the report from its website later that day. The software vendor, Birst, confirmed to Gizmodo that the data, which did not contain any bank customer information, was left unsecured.
The now-deleted report claimed that Birst’s private encryption keys, as well as administrative credentials and passwords assigned by Birst to Capital One were discovered by UpGuard researchers last month on a publicly accessible cloud server. In a statement to Gizmodo, Dan Barnhardt, a spokesperson for Birst’s parent company, Infor, confirmed that a Birst employee uploaded the sensitive files to an unsecured Amazon bucket.
Capital One has contested the UpGuard report’s accuracy, namely that the data exposed by Birst belonged to the bank or that it could potentially pose a risk to its network. “At no time was any Capital One information exposed,” the bank said in a statement Wednesday. “This was simply an instance of a vendor’s software that was hosted in their cloud environment. As a matter of standard practice, Capital One changes all default settings, including credentials, prior to deploying third party software. Because of this, there is no impact to the security of Capital One systems and data.”
The bank’s lawyers were in contact with UpGuard on Wednesday around the time the post went offline, according to UpGuard. “We are taking the post down while we review the content with Capital One,” UpGuard told Gizmodo in an email.
Capital One also requested, on multiple occasions, that Gizmodo delete its story regarding the vanished report.
While UpGuard’s report remains offline, the company has not formally retracted its researchers’ findings, and the status of the report remains unclear. UpGuard declined to comment on whether it has faced lawsuit threats from Capital One. The bank did not answer Gizmodo’s repeated inquiries on the matter.
Although Capital One has repeatedly refused to say whether it uses Birst’s software, Gizmodo has confirmed it was installed on the bank’s hardware by the bank’s staff and remains in use. A Birst spokesperson told Gizmodo by email that once Capital One installed the software, Birst had no access to or control over it.
UpGuard said it found the data on January 15th and that it was secured the same day. Capital One was notified that roughly 50GB worth of data that appeared to belong to the bank had been exposed—the researchers noted that the server’s subdomain was named “capitalone-appliance.” Capital One was left to handle the matter privately with its vendor.
In an email to UpGuard sent after the notification, Gleb Reznik, a Capital One information security officer, thanked UpGuard for its assistance. “We are very appreciative of your work and your mission to safeguard organizations that are venturing in the public cloud environments,” he wrote. “This further reinforces the need for vendors (i.e., Birst) to ensure that their data is protected from unauthorized access.”
Through no fault of its own, Amazon Web Services has been the source of countless data breaches in recent years, and has worked to help companies avoid such disasters. For example, its S3 buckets—the types of cloud servers often at the center of leaks, including Birst’s—are now encrypted by default. Ultimately, the job of keeping data secure falls on the individual or company to whom it belongs.
Since May 2016, Gizmodo has reported on more than a half dozen data breaches based on UpGuard’s research, including one for which Gizmodo received an award from the Society of Professional Journalists last fall. They include similar leaks involving nearly 200 million US voter files, sensitive files linked to the creation of a Pentagon system handling classified materials, the resumes and curriculum vitae of thousands of Americans with classified and up to top secret security clearances, and gigabytes worth of credentials and other documents from one of the country’s largest media conglomerates, among others.
Since Amazon launched a host of new security features in November, data breach hunters have told Gizmodo they’ve seen little to no drop in the number of sensitive leaks. Amazon’s clients are simply failing to utilize the security features available to them—likely because it’s more convenient not to, but also because they don’t realize how painless it is for hackers to locate and collect their exposed data.
Correction: The previous headline said “Capital One’s data got exposed” and a later headline said the data leak “Could Have Left a Major US Bank Exposed.” The headline was updated to reflect the fact that UpGuard has deleted its report.