This week’s news of the breach at Capital One Financial Corp. rocked the world and has cybersecurity experts buzzing to analyze what went wrong and advise others how to prevent similar issues at their own organizations.
Private information given to Capital One through credit applications were exposed in a hack that the authorities believe was perpetrated by Paige Thompson, a suspect who was quickly apprehended once Capital One reported the breach to the FBI. Roughly 100 million Americans and 6 million Canadians were impacted.
Included in the information that was exposed was data like names, addresses, and even in some cases, social security numbers and social insurance numbers.
Investigations into the breach have been started by The Canadian Centre for Cyber Security in collaboration with the RCMP, as well as by The Office of the Privacy Commissioner of Canada (OPC).
Anyone who thinks they may have been affected by the breach is being urged to call into the respective hotline to report this.
There’s been no shortage of advice and analysis from cybersecurity experts from across the industry, and many of them reached out to us this week:
Jeff Wilbur, director of the Online Trust Alliance Initiative, The Internet Society
“The Capital One incident is the latest in a string of high-profile, high-impact data breaches. The hacker in this case unlawfully gained access to users’ information that was largely unencrypted by exploiting a misconfigured web application firewall – something that could have been prevented. Year after year our analysis shows that more than 90 per cent of data breaches are preventable – in 2018 it was 95 per cent. This is a grave reminder that companies holding personal and sensitive data need to be extra vigilant. The responsibility for good data stewardship lies with everyone in an organization, not just the C-suite or IT security team. Use strong passwords and multi-factor authentication, keep software updated, be careful with email, encrypt/hash and back up your data where ransomware can’t get to it – these basics would prevent a significant percentage of not just breaches, but all cyber incidents.”
Tom Kellermann, chief cybersecurity officer, Carbon Black, Inc.
“This breach highlights a few important realities for cybersecurity in 2019. First, perimeter-based security measures will not prevent 100 per cent of attacks, 100 per cent of the time. Without visibility into what’s occurring on an enterprise, a business may be completely blind to attacks like this, especially when you consider that Paige Thompson once worked at Amazon as an engineer for the same server business that supported Capital One. Modern threats can come from all domains, including former employees, partners or contractors. A business needs to consider all the potential risks and work to gain visibility across the business into where potential weaknesses exist. Second, it’s absolutely imperative for businesses to be securing their cloud infrastructures and the critical data they hold. Capital One is one of the most ‘cloud-forward’ financial companies in the world; they should be partnering with solution providers who are intimately aware of how to keep the cloud secure. What should not be lost in this is that Capital One is one of the globe’s most recognizable and ubiquitous financial brands that houses critical financial and personal information. As Carbon Black’s research has found, financial institutions are increasingly being targeted by advanced attacks that leverage “island hopping,” lateral movement, counter incident response and fileless attacks. The modern bank heist is now in cyberspace. Capital One customers who are concerned about this breach should keep a close eye on their statements and report any suspicious activity immediately. Customers should also consider signing up for security alerts from Capital One and be extra vigilant over the coming months for possible phishing emails.”
Justin Fier, director for cyber intelligence and analysis, Darktrace
“In this instance, we’re seeing the vulnerabilities of the cloud converge with the constant risks of insider threat, only in this case, it was a secondary insider as the threat came from a provider. What will this do to the B2B market if we can’t trust the employees and procedures done by our partners? When you trust your data on someone else’s servers you inherently trust the people that company has hired as if you hired them yourself. We sign contracts for cloud and SaaS without batting an eye because of all the money we will save. But do we ever ask about the data center administrators walking through the rows of computers hosting our data? We inherently trust them. Why? While this attack will undoubtedly have serious ramifications for Capital One and the millions of individuals affected, this may also have impacts on the usage of cloud computing by banks and the financial services industry. Cloud is not going anywhere and this event, in particular, is not going to make everyone dust of our NAS boxes and come back to on-prem, but I think this will wake companies up to evaluating the risks associated with cloud computing. Although the perpetrator has already been caught, that doesn’t mean that the impacts of this data breach have been prevented. Looking at the timeline of when she had access, this information is likely already on the DarkWeb. In the new digital era, data is currency, and when it falls into the wrong hands it can spread like wildfire throughout the criminal community.”
Stuart Reed, vice-president, Nominet UK
“With 100 million individuals in the U.S. and 6 million in Canada affected by the Capital One security breach, it is significant to financial institutions around the world. Although the amount of information that Capital One has released on the security incident is clear and transparent, it demonstrates the extent of data at risk. Digital transformation and a continual stream of new technologies coming into business infrastructures means that security teams need to be extra vigilant in ensuring systems – both legacy and new – can integrate seamlessly without opening up vulnerabilities. When a hacker has gained a foothold on the network, as in this instance, data theft through a variety of methods can be exploited. Having systems in place on the network to identify anomalous behavior at an early stage can mean the impact of an attack is reduced.”
Ilia Kolochenko, founder and chief executive officer, ImmuniWeb
“This is just one more colorful, albeit lamentable, example that web applications are the Achilles’ Heel of the modern financial industry. Reportedly, the intrusion had happened in March but was noticed only upon notification in late July. Given Capital One’s [comparatively] immense capacity to invest into cybersecurity and the allegedly trivial nature of the vulnerability, such protracted detection timeline is incomprehensibly huge. Legal ramifications of the breach may be both exorbitant and protracted, including regulatory fines and penalties, individual and class action lawsuits by the victims. Talking about the alleged suspect, one should remember about the presumption of innocence. The person in question could have been tricked to access or download the data without any intent to sell it or use with malice, serving as a smoke-screen to mislead law enforcement agencies. Until all the circumstances of the incident become crystal-clear, it would be premature to blame anyone. Victims should now carefully monitor their credit scores and be extremely cautious about any abnormal activities with their accounts. If the data was stolen and sold, we may expect a wave of sophisticated spear-phishing.”
Leigh-Anne Galloway, cybersecurity resilience lead, Positive Technologies
“More than anything, this attack demonstrates how much damage a single hacker can do given the opportunity. Through a cloud configuration error, highly sensitive information of more than 100 million people was exposed. Cloud storage is an increasingly attractive option for large corporations because it is cheaper than on premise, but attacks like this show that organizations aren’t adopting security with the same vigor – and they should, otherwise the financial cost of penalties and lawsuits will vastly outweigh any IT savings. Capital One acted quickly and the FBI successfully caught the culprit, but the outcome of this incident could have been dire if even a fraction of that data was exploited. In this case, the hacker was caught so quickly because of her bravado on public chats, which meant she left multiple traces on the internet. It shows that operations security (OPSEC) is still an important tool for companies to mitigate damage after data is leaked, as is the use digital forensics to trace hackers. While it looks like all the appropriate measures have been taken to mitigate the risk of fraud, Capital One customers should continue to be extremely vigilant. Keep an eye on your bank accounts and any other connected accounts such as email addresses and immediately flag any suspicious activity to authorities or Capital One. Even if all the data leaked has been secured and accounted for, opportunistic hackers will still try to make the most of this opportunity through techniques like phishing attacks posing as CapitalOne or authorities. Act with extreme caution and treat any incoming communication with suspicion. If in doubt, go directly to the Capital One website and use contact information there to ensure you are speaking to who you think you are.”
Tom DeSot, executive vice-president and chief information officer, Digital Defense, Inc.
“The circumstances around the Capital One breach highlights the need for increased scrutiny of hosted security applications. As enterprises and networks become more distributed and network resources – including security applications – are allocated to the cloud, the security applications themselves, whether commercially available or custom designed, must be regularly tested and monitored to ensure they are secure and free of misconfigurations that could be leveraged for exploit.”