Capital One Suffers Data Breach Affecting 100 Million Customers

Capital One is reporting a massive data breach affecting 100 million people in the US that exposed the names, addresses, phone numbers and email addresses they used on their credit card applications. The announcement has come after the alleged hacker, an ex-AWS employee was arrested and charged with a single count of computer fraud. Prosecutors alleged that the access to the bank data came through a misconfigured firewall protecting one of its applications.

  • About 100m individuals based in the US and 6m in Canada had their information compromised in the breach. About 1.1m Social Security Numbers and 80,000 linked bank account numbers were also accessed
  • The breach took place in late March but was not discovered until this month
  • The data theft revelations come just days after the credit reporting agency Equifax agreed to pay almost $800m in a record US settlement after a 2017 hack that exposed the personal data of close to 150m people

EXPERTS COMMENTS
Chris DeRamus, CTO and co-founder,  DivvyCloud
August 07, 2019
Organizations need to leverage AWS S3 access policies
In Capital One’s case, this was a misconfigured firewall that led to the exposure of an Amazon S3 bucket. But similar to S3 bucket configuration, firewalls can only be accessed by users explicitly given access. S3 buckets, however, by default, only grant access to the account owner and the resource creator, so someone has to misconfigure an S3 bucket deliberately to expose the data. As a m ....
[Read More >>]
Colin Bastable, CEO ,  Lucy Security
August 01, 2019
Hackers are more motivated to attack than defenders are to defend -- playing defense is a continuous and often thankless task.
At last, tokenization is deployed, doing what it is supposed to do. Good job, Capital One, more please! But, what’s in your inbox? Capital One victims are going to be phished for years to come – long after the cliched 12 month’s credit monitoring is done. So they and their employers should learn how to spot a phishing attack. The Dark Web probably knows more about most people in North Amer ....
[Read More >>]
Felix Rosbach, Product Manager,  comforte AG
August 01, 2019
Implementing data centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary.
The risk of a breach is higher than ever before for financial institutions. Those breaches create a lot of stress on both the issuer’s side and on consumers as fraud is easy to commit with stolen account information. Classic defense like firewalls only protect you from known attack methods and often fail when it comes to insider threats. It’s crucial to protect sensitive data over the entir ....
[Read More >>]
Michael Magrath, Director, Global Regulations & Standards,  OneSpan
August 01, 2019
The good news is the perpetrator was identified and arrested.
The Capital One breach is a classic example of the “insider threat” which has been present since the first merchant hung a shingle and sold goods and is certainly not limited to the digital age. The insider threat is not limited to employees and extends to third party providers as Capital One fell victim to. The third-party provider threat is a concern for CISO’s and regulators alik ....
[Read More >>]
Laurence Pitt, Global Security Strategy Director,  Juniper Networks
August 01, 2019
All systems access can be audited and revoked fast when someone either leaves, or is removed, from their employment.
This is a real wow – and very worrying. Malicious insiders are a huge risk to any organization, someone who is unhappy can be subverted for either money or simply to cause damage and disrupt business systems. The alleged hacker had previously worked for Amazon, and accessed Capital One servers rented from AWS. This would seem to indicate that she either knew of a weakness in AWS and took advanta ....
[Read More >>]
Staurt Reed, VP of Cyber ,  Nominet
August 01, 2019
When a hacker has gained a foothold on the network, as in this instance, data theft through a variety of methods can be exploited.
With 100 million individuals in the US and 6 million in Canada affected by the Capital One security breach, it is significant to financial institutions around the world. Although the amount of information that Capital One has released on the security incident is clear and transparent, it demonstrates the extent of data at risk. Digital transformation and a continual stream of new technologies comi ....
[Read More >>]
James Hadley, CEO,  Immersive Labs
August 01, 2019
If your security team does not know how to deploy it correctly then it can still leave you vulnerable.
The Capital One breach is proof that companies have a lot to learn when it comes to deploying security technology effectively. From reading their description of the breach, you would be forgiven for thinking it was an elite hacker exploiting a vulnerability. In reality, as stated by the FBI, it was simply a poorly configured firewall that allowed the hacker in. “When it comes to cybersecurity ....
[Read More >>]
Sam Curry, Chief Security Officer,  Cybereason
August 01, 2019
Regardless of whether this woman has any offensive skills, if any, as a hacker, she's likely to be a hot mess on the defensive side.
For all intents and purposes, it looks like Capital One had some good security practices in place as evidenced by tokenization of data shown so far. As a positive, the FBI made an arrest quickly and there is a chance to minimise the damage. Normally, its months, years or never in terms of arrests and accountability of the criminals. Finding things sooner in the lifecycle, always limits the impact ....
[Read More >>]
Dave Atkinson, CEO,  Senseon
August 01, 2019
In this case it only took one hacker to find this vulnerability and take Capital One for all the valuable data they could seize.
This massive data breach is another reminder of the complexities and difficulties large corporations face with safeguarding their data, where something as simple as a misconfiguration within their infrastructure has the potential to expose hundreds of millions of customers’ data. ‘In this case it only took one hacker to find this vulnerability and take Capital One for all the valuable dat ....
[Read More >>]
Tom DeSot, EVP,  Digital Defense
July 31, 2019
The circumstances around the Capital One breach
The circumstances around the Capital One breach highlights the need for increased scrutiny of hosted security applications. As enterprises and networks become more distributed and network resources – including security applications – are allocated to the cloud, the security applications themselves, whether commercially available or custom designed, must be regularly tested and monitored to ens ....
[Read More >>]
Felix Rosbach, Product Manager,  comforte AG
July 31, 2019
Classic defense like firewalls only protect you from known attack methods and often fail when it comes to insider threats.
The risk of a breach is higher than ever before for financial institutions. Those breaches create a lot of stress on both the issuers’ side and on consumers as fraud is easy to commit with stolen account information. Classic defense like firewalls only protect you from known attack methods and often fail when it comes to insider threats. It’s crucial to protect sensitive data over the entire ....
[Read More >>]
Javvad Malik, Security Awareness Advocate,  KnowBe4
July 31, 2019
Details are still emerging, it may not be all bad news for Capital One.
The Capital One breach is huge, and echoes the Equifax breach in that not only has it impacted over 100m individuals, but that the breach occurred 4 months ago. While details are still emerging, it may not be all bad news for Capital One. A researcher notified Capital One of a vulnerability on July 17th, which initiated an internal investigation, not only uncovering the breach, but also resulted ....
[Read More >>]
Ilia Kolochenko, CEO,  ImmuniWeb
July 31, 2019
One more example of web applications as the Achilles’ Heel of modern financial.
“This is just one more colourful, albeit lamentable, example that web applications are the Achilles’ Heel of the modern financial industry. Reportedly, the intrusion had happened in March but was noticed only upon notification in late July. Given Capital One’s [comparatively] immense capacity to invest into cybersecurity and the allegedly trivial nature of the vulnerability, such protracted ....
[Read More >>]
Steve Armstrong, Regional Director UK, Ireland & South Africa ,  Bitglass
July 31, 2019
Controls are essential.
“Access to cloud data repositories should be controlled by contextual access control as a bare minimum - by first identifying the user, the device and location of access organisations can take policy-based remediation of these types of issues. Furthermore, data centric controls should be applied - data encryption tied to the data owners key management system would have gone some way to mitigatin ....
[Read More >>]
Tim Mackey, Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center),  Synopsys
July 31, 2019
Tim Mackey, Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center) said
The disclosure by Capital One of a breach impacting 100 million users highlights the importance of auditing your software supply chain regularly and validating the current configuration of systems against their expected state and then auditing all access against expected actions. As identified in the FBI Complaint, access was facilitated by a misconfiguration of a firewall. Once able to access Cap ....
[Read More >>]
Jonathan Bensen, CISO,  Balbix
July 31, 2019
The key to preventing a breach like what Capital One has suffered is to leverage security tools that employ AI and ML.
“Despite what has been reported, this data was not hacked from Capital One. The accused individual was charged with intentionally accessing a computer without authorization that contained information belonging to Capital One Financial Corporation. Fortunately, Capital One has a responsible disclosure program that allowed a good samaritan to contact the company and let it know about the leaked S3 ....
[Read More >>]
Igor Baikalov, Chief Scientist ,  Securonix
July 30, 2019
Capital One is a standout in the financial institutions community by going public cloud while most of its peers hedged the risk by implementing additi
The perpetrator of this breach was identified unusually fast and turned out to be a former employee of AWS, a cloud computing company contracted by Capital One, according to NYT and Bloomberg. Capital One is a standout in the financial institutions community by going public cloud while most of its peers hedged the risk by implementing additional security controls around their private clouds. Th ....
[Read More >>]
Jake Moore, Cybersecurity Specialist,  ESET
July 30, 2019
Capital One didn’t report it publicly for nearly two weeks after the breach occurred, until the FBI had arrested someone - something that the ICO has
All it took was a misconfigured firewall and an experienced software engineer with some clever knowhow to compromise all of this data. It is thought that the alleged criminal hacker once worked for Amazon Web Services, which makes this attack more of an insider threat and should remind companies how important it is to not overlook such risk. Interestingly, Capital One didn’t report it ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article