What We Can Learn from the Capital One Data Breach & Security Tips for 2019
Yesterday, July 29th, Capital One Financial Corporation announced that there was unauthorized access to their data, resulting in a breach affecting over 100 million customers in the United States and 6 million in Canada. Specifically, the data accessed includes personal information provided by consumers and small businesses during the credit application process from 2005 through early 2019.
This information includes individuals' names, addresses, zip codes, phone numbers, email addresses, dates of birth, and self-reported income. The hacker also accessed credit card customer data, including credit scores and limits, balances, and payment history, in addition to pieces of transaction data spanning over 23 days from 2016 to 2018. In addition to the above, around 140,000 social security numbers of credit card customers were accessed, and 80,000 linked bank account numbers of Capital One's secured credit card customers. In Canada, approximately 1 million Social Insurance Numbers were compromised.
Otherwise, no information from bank account holders, including bank account numbers or social security numbers were compromised. Capital One has stated that they will notify the affected individuals through a variety of channels, and plan to offer free credit monitoring and identity protection to those individuals affected. The FBI has arrested the individual responsible, who was a former employee of Amazon Web Services.
How did this happen?
Capital One claims that the nefarious hacker exploited a "specific configuration vulnerability" in their infrastructure, though they don't elaborate on that the vulnerability was. An external security researcher reported the vulnerability to Capital One, which led them to an internal investigation and therefore to detect the incident.
Although Capital One does host their data in the cloud, specifically Amazon Web Services, the vulnerability in question is not specific to the cloud and could affect both cloud and on-prem data environments. In fact, Capital One credits the cloud for the ability to diagnose and mend the vulnerability at an expedited rate. When using the cloud for your IT infrastructure, firms must make sure they're deploying the right digital defenses to protect themselves from hackers like these.
This most recent high-profile data breach highlights the importance of cybersecurity in today's evolving IT landscape. Regardless if your firm is on-prem, or uses a public or private cloud infrastructure, implementing the appropriate layers of security is a critical step in information security.
It's not if, but when, your firm will be subject to a data breach. To prepare, have a Written Information Security Plan, Business Continuity Plan, and an Incident Response Plan specific to your firm at the ready.
Employee training. After a large-scale, public breaches like this, hackers often take advantage by deploying sophisticated phishing scams. Employee training can help your firm detect and deflect phishing schemes.
Password policy. Ensure your firm is following secure password management and best practices, like prompting employees to change their passwords often and utilizing strong and unique passwords.
Have the right security layers in place. Ensure your firm has the right tools, technologies and training protocols to adequately protect the firm.