Capital One is modernizing its technology stack with in-house development and adopting a public cloud-oriented strategy on Amazon Web Services, an outlier in the risk-averse financial services sector.
But even with cybersecurity measures in place, Capital One was breached.
The company’s breach disclosure came 10 days after the intrusion’s discovery. A suspect is already in custody and Amazon Web Services is distancing itself from the bank’s flawed web configuration.
Capital One is the latest company to suffer an unauthorized access to its systems. About 106 million customers were impacted by the intrusion, which exposed personal information including credit scores and payment history.
“No one steals that much data just for bravado,” Avivah Litan, distinguished VP analyst at Gartner, told CIO Dive. It’s possible, Litan said, the information was already sold, increasing the chances of identity fraud for impacted customers.
CIO Dive outlined five things to know about Capital One’s data breach and what led law enforcement to Paige “erratic” Thompson. As more details become known, further security and privacy scrutiny is expected.
1. Who hacked Capital One?
The Department of Justice accused Thompson, who uses “erratic” as her online handle, of illegally accessing a computer holding financial records of Capital One customers, according to an indictment.
She is a former AWS employee, reports The New York Times. Thompson “allegedly used web application firewall credentials to obtain privilege escalation,” Scott Albahary, chief strategist of financial services at Perficient, told CIO Dive in an email. The bank had a configuration flaw that she was able to abuse.
The DOJ said Thompson posted on GitHub about taking Capital One’s data from servers “very close in time to the intrusions.”
On June 27, Thompson claimed a directory in her possession held data “associated with Capital One” and posted about other private and public entities, according to the DOJ. Law enforcement believes these public confessions could reference other illegal intrusions.
Around the same time, she posted in a Slack channel, “I wanna get it off my server that’s why I’m archiving all of it lol,” according to a screenshot provided by Capital One.
The day after a user submitted a tip to Capital One about Thompson’s GitHub post, she said on Twitter, “I’ve basically strapped myself with a bomb vest … I wanna distribute those buckets first I think.”
2. The cloud security nothingburger
Capital One found the GitHub file, dated April 21, and detailed the IP address for a particular server.
“A firewall misconfiguration permitted commands to reach and be executed by that server,” enabling access to data folders or buckets on AWS, according to the DOJ.
Critics blaming Amazon for the breach are misinformed, according to Litan. The infiltrator got in through the Web Application Firewall (WAF) and it was likely sitting on a Capital One server.
AWS has security services but enterprises have their own access management and manage access security brokers that bridge on-premise access to the cloud.
This was “not good timing for AWS,” but it doesn’t deserve the criticism, said Litan.
Most of the security companies put around the cloud is within their control.
Capital One “has plenty of security controls,” including its in-house developed Cloud Custodian, according to Litan. Because the bank wrote the open source tool, it put a lot of money in identifying configuring and permissions management issues.
3. What’s at stake
The breached data was copied from the folders or buckets and contained credit card application information. Some of the information, like Social Security numbers, were encrypted.
But unencrypted information ranges from names, addresses and bank account numbers.
Some data, like names and email addresses, carries less weight than other personal data. “The more specific you get, the more opportunity it has for abuse,” Jeff Wilbur, director of the Online Trust Alliance Initiative at the Internet Society, told CIO Dive.
Specific bank account numbers could allow hackers to initiate automatic clearing house transfers. Social Security numbers can be used to apply for credit cards, loans or tax refunds, according to Wilbur. Any personal data leak can contribute to the creation of more personalized phishing schemes.
The “potential impact to an individual is unconstrained” when other details accompany banking information, said Albahary.
4. Breaches in financial services
The banking industry boasts some of the largest IT budgets in enterprise. JPMorgan spent nearly $11 billion on technology in 2018, followed by Bank of America spending about $10 billion and Citigroup’s approximately $8 billion tech spend.
Even with deep pockets, bank cybersecurity can have flaws.
In 2005, CitiFinancial, a Citigroup subsidiary, experienced a physical data breach. The company said UPS had lost “tapes” while in transit, containing names, Social Security numbers, account history and loan information.
At the time, the lost information was the largest reported breach of customer data, but now hackers are savvier.
In 2014, JPMorgan Chase experienced a data breach, which impacted 76 million households and 7 million small businesses. While basic personal data, like names and phone numbers were compromised, other information, like account numbers and Social Security numbers, was left untouched.
In 2017, Capital One had a data breach, which was less severe than the July announcement. The breach was carried out between January and April of 2017 as a result of an “inside job,” according to the notification letter.
“Security is not a science, it’s an art,” said Litan. It sometimes defies even best practices.
It’s possible Capital One lacked certain security protocols, like layered protection, encryption, or weak password security.
However, “we can’t expect Capital One to fight these threats,” she said. Cyber criminals’ sophistication demands a better cybersecurity alliance between the public and private sector.
5. Privacy implications
As data privacy regulation gains momentum in the U.S., scrutiny and recovers costs are expected.
Capital One expects the breach to cost between $100 million and $150 million in 2019. However, the company has a cyber risk insurance policy, subject to a $10 million deductible and total coverage limit of $400 million, according to Capital One’s breach announcement.
With the FTC handing out two record fines last week, it’s unclear how much of a potential data privacy penalty can be covered by insurance.
“Negligence, while not an excuse or defense, must be viewed against a different scale” than intentional misuses of consumer data, said Albahary. But the type of data exposed plays a role in how fines are levied.
If law enforcement is able to conclude with certainty that Thompson leveraged her experience at AWS to gain access, it would suggest “Capital One’s security policies and procedures were severely lacking, as access codes need to be secured, available only on a need to know basis, and changed frequently,” Albahary said.