ROUNDTABLE: Huge Capital One breach shows too little is being done to preserve data privacy

By Byron V. Acohido

Company officials at Capital One Financial Corp ought to have a crystal clear idea of what to expect next — after admitting to have allowed a gargantuan data breach.

Capital One’s mea culpa coincided with the FBI’s early morning raid of a Seattle residence to arrest Paige Thompson. Authorities charged the 33-year-old former Amazon software engineer with masterminding the hack.

Related: Hackers direct botnets to manipulate business logic

Thompson is accused of pilfering sensitive data for 100 million US and 6 million Canadian bank patrons. That includes social security and social insurance numbers, bank account numbers, phone numbers, birth dates, email addresses and self-reported income; in short, just about everything on an identity thief’s wish list.

Just a few days before Capital One’s disclosure,  Equifax rather quietly agreed to pay up to $700 million to settle consumer claims and federal and state investigations into its 2017 data breach that compromised sensitive information of more than 145 million American consumers. Also very recently,  the Federal Trade Commission slammed Facebook with a record $5 billion fine for losing control over massive troves of personal data and mishandling its communications with users.

Sure enough, it didn’t take long (less than 24 hours) for Keven Zosiak, a Stamford, Connecticut resident and Capital One credit card holder, to file a lawsuit  against Capital One for its failure to protect sensitive customer data. Many more lawsuits, as well as federal probes and Congressional hearings, are sure to follow.

Oh, and let’s not forget how Equifax summarily canned five top execs, including Equifax CEO Richard Smith, in the aftermath of its big breach. Not even doing this YouTube video apology was enough to save Smith his job.  It’s going to be interesting to see who Capital One’s board of directors designates to throw under the bus on this one.

Larger lessons

Arguably the most fascinating twist to the Capital One caper is the FBI’s rather quick arrest of Paige Thompson. Arrests in network breaches are rare, indeed. For instance, we know a lot of details about the Equifax breach, thanks to a GAO investigation and report. But no suspects have ever been publicly named.

What’s more, the usual suspects in high-profile breaches – i.e. professional Russian, Eastern European, Chinese and North Korean hacking collectives – appear to be out of the loop with respect to this particular caper. The Capital One breach, it seems to me, vividly highlights the depth and breadth of the Internet underground. Anyone with technical aptitude, diligence and a lack of scruples, such as an out-of-work IT staffer, can engage in criminal activity at a fairly high level.

The tools and tutorials to execute deeply invasive hacks, and the support services and access to black markets – to get lucratively paid – are readily available and accessible. Thompson’s mistake was that she operated on U.S. soil, within the reach of U.S. law enforcement, and she also failed to use tried-and-true stealth tactics to cover her tracks. At least, that’s what I get from reading the FBI’s indictment.

Yes, law enforcement deserves credit for the arrest. But, let’s face it, Thompson was low-hanging fruit. There are hundreds more low-level, but much more discreet cyber criminals active globally every minute of every day. Best security and privacy practices on everyone’s part is more imperative than ever. I’ve been saying this for 15 years, and it remains as true as ever. Last Watchdog convened a roundtable of cybersecurity and privacy thought leaders and asked them to supply their takeaways:

Satya Gupta, CTO, Virsec:

Gupta

This attacker was careless and boastful and most hackers trying to promote their own skills will get caught. It’s more disturbing that the hacker was not noticed by either Capital One or AWS who employed her – they had no clue until after the fact. Thankfully, ethical hackers were scanning GitHub and looking for illicit data that shouldn’t be there.

There were many serious mistakes made. Capital One’s highly confidential data was accessible to a system admin by a very simple password-based mechanism. They were not using two-factor authentication and clearly no one was monitoring the audit logs. In addition, sensitive data was not encrypted at rest, and no one was auditing access logs. This was the Perfect Storm.

The guidance for consumers in the aftermath of breaches like this one is usually the same and not very satisfactory – carefully monitor your credit and all financial transactions carefully, then hope it’s not you.

Pravin Kothari, CEO, CipherCloud:

Kothari

As we saw in the case of the Facebook and Equifax fines, we’ll see more and more regulators bring the hammer down and levy some of the largest fines ever seen to raise the sense of urgency on businesses to protect their client sensitive information properly. It could be FTC first, then European GDPR and Canadian PIPEDA, then upcoming California Consumer Privacy Act, and many other privacy regulations worldwide.

Cybersecurity and data privacy are trends similar to the trends of cloud, mobile and AI. Businesses are naturally jumping on cloud, mobile and AI for finding new business opportunities, but they are not paying enough attention to cybersecurity and data privacy.

Many businesses are not doing enough to protect their client sensitive PII information. They do not realize that internet and cloud services are not bullet-proof. They assume that their information is safe with service providers.  But a simple misconfiguration, a bug or abuse of an API could cause major exposure and havoc, as we saw with Facebook and Equifax – and now Capital One.

Sameer Dixit, VP Security Consulting, Spirent SecurityLabs

Dixit

This was a stark reminder that conventional approaches towards preventing and stopping a data breach are no longer fully effective. Traditional pen testing—which is only done quarterly or annually — achieves compliance and produces a point-in-time in-depth analysis, but this needs to be complemented with continuous assessment against quickly evolving attack tactics and ever-changing threats.

In today’s environment, testing must run continuously, and it needs to include the ability to find actual attack behaviors that can lead up to a data breach. The technology is available.

Advanced  pen testing can take into account attacker activities, based on assessments from a variety of enterprises and organizations. Doing such testing on an ongoing basis is an effective way to identify attackers and thwart attacks.

Laurence Pitt, Global Security Strategy Director, Juniper Networks

Pitt

This was a real wow – and very worrying. Malicious insiders are a huge risk to any organization, someone who is unhappy can be subverted for either money or simply to cause damage and disrupt business systems. The alleged hacker had previously worked for Amazon, and accessed Capital One servers rented from Amazon Web Services.

This would seem to indicate that she either knew of a weakness in AWS and took advantage (unlikely) or retained access to AWS cloud in a way that allowed her to gain access to the Capital One systems. This latter would still be a complex hack. The bottom line is that anyone can become malicious if they are unhappy, and any organization which grants high-levels of access rights to their systems also needs a process which can simply and quickly revoke said rights.

George Wrenn, Founder & CEO, CyberSaint Security:

Wrenn

This breach, unfortunately, is another example of what can happen when larger organizations fail to  integrate compliance and risk management. The great challenge for many enterprises is to ensure that they have the infrastructure in place to be continually aware of major vulnerabilities, as well as control failures. Too often organizations see security assessments as a periodic activity.

Yet without the tools and culture to support a truly integrated approach to compliance and risk management, institutions will remain vulnerable to these breaches. Yes, it was an application failure that went unnoticed, and this can happen largely because many institutions still operate their cybersecurity teams in silos. Without an integrated approach to risk management, organizations cannot say that they have accurate visibility, and we will continue to see these breaches occur.

Dan Tuchler, CMO, SecurityFirst:

Tuchler

This latest data breach highlights the continued vulnerability of data — even in light of growing regulatory requirements meant to shorten reporting and rectification time in order to ensure data privacy. While Capital One seems to have had appropriate measures in place to discover the breach quicker than the norm, this is still a massive amount of data that has been compromised and consumers will ultimately pay the price.

Security protocols must be tightened by any organization housing sensitive data so access is closely monitored. And policies and tools must be in place to ensure decrypted data can only be viewed by authorized users.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone