The old "unsecured S3 bucket trick" strikes again. And this time, it was a vendor placing important data on Capitol One's network and credentials into the bucket.
Data analytics firm Birst, a Capitol One vendor, apparently made the error.
Tech Republic reports: "The bucket data provides, in essence, a roadmap for hackers to further target systems owned by Capital One. If a hacker successfully breached Capital One's network by means of some other exploit, the system information and administrative credentials would grant an attacker access to analytics data contained on the Birst appliance, as well as anything the appliance had access to."
Gizmodo is on this story, as well. And Capitol One responded to publication by downplaying the significance of the leak:
"As a matter of standard practice, Capital One changes all default settings, including credentials, prior to deploying third party software. Because of this, there is no impact to the security of Capital One systems and data."
A security vendor made the original discovery.
Hopefully no one else did.
The whole thing is a reminder of why third-party security seems to be on nearly every SecureWorld conference agenda in 2018.