Capital One is reporting a massive data breach affecting 100 million people in the US that exposed the names, addresses, phone numbers and email addresses they used on their credit card applications. The announcement has come after the alleged hacker, an ex-AWS employee was arrested and charged with a single count of computer fraud. Prosecutors alleged that the access to the bank data came through a misconfigured firewall protecting one of its applications.
- About 100m individuals based in the US and 6m in Canada had their information compromised in the breach. About 1.1m Social Security Numbers and 80,000 linked bank account numbers were also accessed
- The breach took place in late March but was not discovered until this month
- The data theft revelations come just days after the credit reporting agency Equifax agreed to pay almost $800m in a record US settlement after a 2017 hack that exposed the personal data of close to 150m people
In Capital One’s case, this was a misconfigured firewall that led to the exposure of an Amazon S3 bucket. But similar to S3 bucket configuration, firewalls can only be accessed by users explicitly given access. S3 buckets, however, by default, only grant access to the account owner and the resource creator, so someone has to misconfigure an S3 bucket deliberately to expose the data.
As a most basic first step to avoiding S3 bucket leaks, companies need to take advantage of native AWS capabilities to ensure they are purposefully using AWS S3 access policies to define who can access the objects stored within. Companies can then ensure their team is well trained to never open access to the public, unless necessary, as doing so can result in the exposure of PII and other sensitive data, and help prevent unauthorized access to your data by taking advantage of capabilities like AWS Config.
The challenge is that many organizations, especially those in the financial industry, struggle to adopt and enforce best practices consistently, and only 100% consistency can ensure protection against a breach. For financial service organizations to take full advantage of the opportunities public cloud offers, they must ensure that clear cloud governance standards are defined and that they can present evidence of compliance to assessors and auditors. An investment in cloud operations is a vital additional step.
At last, tokenization is deployed, doing what it is supposed to do. Good job, Capital One, more please!
But, what’s in your inbox? Capital One victims are going to be phished for years to come – long after the cliched 12 month’s credit monitoring is done. So they and their employers should learn how to spot a phishing attack. The Dark Web probably knows more about most people in North America than their governments will publicly admit to. Employers need to protect themselves by ensuring that their employees are security aware.
The European Space Agency is collaborating with Mattel to put a Barbie doll in a space suit, to encourage girls to be astronauts. Hackers are more motivated to attack than defenders are to defend — playing defense is a continuous and often thankless task, but breaching defenses is an intellectual, tactical and strategic victory; but I bet this real-life crime will inspire more females to get into cyber-security, probably on the right side of the law.
The risk of a breach is higher than ever before for financial institutions. Those breaches create a lot of stress on both the issuer’s side and on consumers as fraud is easy to commit with stolen account information. Classic defense like firewalls only protect you from known attack methods and often fail when it comes to insider threats.
It’s crucial to protect sensitive data over the entire data lifecycle. A lot of organizations use classic encryption to do that. While Capital One stated that they are encrypting their data as a standard, “particular circumstances” enabled the decrypting of data. Due to complex key management and the fact that keys can be shared or exposed, classic encryption can fail.
Fortunately, Capital One used tokenization to protect social security numbers and account numbers. As this is a different approach to data security – ideally not involving the distribution of keys – the tokenized data remained protected. However, recent tokenization technology could have been used to protect not only social security numbers and account numbers but also personal information, customer status data and transaction data.
Implementing data centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary, is the only way forward. Acquirers, merchants and issuers should only use tokens instead of clear text data to process payments and store sensitive data. If hackers get access to these tokens, the data is useless. This also reduces stress on both sides, for businesses and consumers
The Capital One breach is a classic example of the “insider threat” which has been present since the first merchant hung a shingle and sold goods and is certainly not limited to the digital age.
The insider threat is not limited to employees and extends to third party providers as Capital One fell victim to. The third-party provider threat is a concern for CISO’s and regulators alike, which is why the New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) include specific requirements regarding third-party service providers. Under the regulation, banks and financial services providers must secure their own systems as well as implement third-party risk management programs. Coincidentally the regulation’s applicability for third-party service providers just went into effect in March of this year. According to the regulation, section 500.11, “The organization must document written procedures and policies to ensure third-party risk management programs protect information systems and non-public information.” Additionally, policies and procedures pertaining to third-party service providers are required to include relevant guidelines for due diligence as well as contractual protections, addressing: Access controls, including multi factor authentication; Encryption; Notifications to be provided to the primary organization in response to a cybersecurity event; Representations and warranties for a third party’s cybersecurity policies and procedures.
The good news is the perpetrator was identified and arrested, however it remains to be seen the severity of penalties Capital One will incur from federal and state regulators. Although, Capital One is headquartered in Virginia it is licensed to conduct business in New York with branches in the state.
This is a real wow – and very worrying. Malicious insiders are a huge risk to any organization, someone who is unhappy can be subverted for either money or simply to cause damage and disrupt business systems. The alleged hacker had previously worked for Amazon, and accessed Capital One servers rented from AWS. This would seem to indicate that she either knew of a weakness in AWS and took advantage (unlikely) or retained access to AWS cloud in a way that allowed her to gain access to the Capital One systems. This latter would still be a complex hack though as I’m sure that C1 would be using multiple factors to authenticate including tokens or SMS messaging codes.
The bottom line is that anyone can become malicious if they are unhappy, and any organisation which grants high-levels of access rights to their systems also needs a process which can simply and quickly revoke said rights. We often here about zero-day start processes which ensure that a new-starter has a laptop, phone, email and ability to work as soon as they join – how about ensuring that they also have zero-day stop too? Meaning that all systems access can be audited and revoked fast when someone either leaves, or is removed, from their employment.