Task 1 of 6

The $68 Million Mistake That Was Entirely Preventable

In 2019, the Capital One breach exposed the personal data of over 100 million people. A former AWS employee exploited a misconfigured web application firewall to access an AWS metadata endpoint. From there, she obtained IAM credentials that gave full access to Capital One's S3 buckets — where customer data sat in plaintext.

The misconfiguration: a single server role had been given excessive permissions, and a firewall was configured to allow outbound requests it should have blocked. Two configuration mistakes. $270M in fines, settlements, and remediation costs.

FIVE REAL MISCONFIGURATIONS AND THEIR COST
Capital One — 2019
Misconfigured WAF + over-permissioned IAM role
100M records exposed. $270M total cost.
Facebook — 2019
Hundreds of millions of passwords stored in plaintext in internal logs
600M users affected. Never publicly acknowledged the full scope.
Microsoft Power Apps — 2021
38 organisations left their Power Apps portals in a publicly accessible default configuration
38M records exposed including NHS COVID vaccination data and employee PII.
Twitch — 2021
Internal Git repository left exposed with insufficient access controls
6,000 internal repositories leaked including source code and creator payout data.
Toyota — 2023
A subcontractor uploaded code to a public GitHub repository including an access key for a cloud server
2.15M customers' vehicle data exposed for 10 years.

What all of these have in common: no custom exploit, no zero-day, no sophisticated technique. Someone left a door open. Someone else walked through it.

1

What made the Capital One breach a misconfiguration issue rather than a vulnerability in custom code?

Answer all 1 question to continue