Capital One Suffers Data Breach Affecting 100 Million Customers

Capital One is reporting a massive data breach affecting 100 million people in the US that exposed the names, addresses, phone numbers and email addresses they used on their credit card applications. The announcement has come after the alleged hacker, an ex-AWS employee was arrested and charged with a single count of computer fraud. Prosecutors alleged that the access to the bank data came through a misconfigured firewall protecting one of its applications.

  • About 100m individuals based in the US and 6m in Canada had their information compromised in the breach. About 1.1m Social Security Numbers and 80,000 linked bank account numbers were also accessed
  • The breach took place in late March but was not discovered until this month
  • The data theft revelations come just days after the credit reporting agency Equifax agreed to pay almost $800m in a record US settlement after a 2017 hack that exposed the personal data of close to 150m people

EXPERTS COMMENTS
Chris DeRamus, CTO and co-founder,  DivvyCloud
August 07, 2019
Organizations need to leverage AWS S3 access policies
In Capital One’s case, this was a misconfigured firewall that led to the exposure of an Amazon S3 bucket. But similar to S3 bucket configuration, firewalls can only be accessed by users explicitly given access. S3 buckets, however, by default, only grant access to the account owner and the resource creator, so someone has to misconfigure an S3 bucket deliberately to expose the data. As a most basic first step to avoiding S3 bucket leaks, companies need to take advantage of native AWS capabilities to ensure they are purposefully using AWS S3 access policies to define who can access the objects stored within. Companies can then ensure their team is well trained to never open access to the public, unless necessary, as doing so can result in the exposure of PII and other sensitive data, and help prevent unauthorized access to your data by taking advantage of capabilities like AWS Config. The challenge is that many organizations, especially those in the financial industry, struggle to adopt and enforce best practices consistently, and only 100% consistency can ensure protection against a breach. For financial service organizations to take full advantage of the opportunities public cloud offers, they must ensure that clear cloud governance standards are defined and that they can present evidence of compliance to assessors and auditors. An investment in cloud operations is a vital additional step.
Colin Bastable, CEO ,  Lucy Security
August 01, 2019
Hackers are more motivated to attack than defenders are to defend -- playing defense is a continuous and often thankless task.
At last, tokenization is deployed, doing what it is supposed to do. Good job, Capital One, more please! But, what’s in your inbox? Capital One victims are going to be phished for years to come – long after the cliched 12 month’s credit monitoring is done. So they and their employers should learn how to spot a phishing attack. The Dark Web probably knows more about most people in North America than their governments will publicly admit to. Employers need to protect themselves by ensuring that their employees are security aware. The European Space Agency is collaborating with Mattel to put a Barbie doll in a space suit, to encourage girls to be astronauts. Hackers are more motivated to attack than defenders are to defend -- playing defense is a continuous and often thankless task, but breaching defenses is an intellectual, tactical and strategic victory; but I bet this real-life crime will inspire more females to get into cyber-security, probably on the right side of the law.
Felix Rosbach, Product Manager,  comforte AG
August 01, 2019
Implementing data centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary.
The risk of a breach is higher than ever before for financial institutions. Those breaches create a lot of stress on both the issuer’s side and on consumers as fraud is easy to commit with stolen account information. Classic defense like firewalls only protect you from known attack methods and often fail when it comes to insider threats. It’s crucial to protect sensitive data over the entire data lifecycle. A lot of organizations use classic encryption to do that. While Capital One stated that they are encrypting their data as a standard, “particular circumstances” enabled the decrypting of data. Due to complex key management and the fact that keys can be shared or exposed, classic encryption can fail. Fortunately, Capital One used tokenization to protect social security numbers and account numbers. As this is a different approach to data security - ideally not involving the distribution of keys - the tokenized data remained protected. However, recent tokenization technology could have been used to protect not only social security numbers and account numbers but also personal information, customer status data and transaction data. Implementing data centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary, is the only way forward. Acquirers, merchants and issuers should only use tokens instead of clear text data to process payments and store sensitive data. If hackers get access to these tokens, the data is useless. This also reduces stress on both sides, for businesses and consumers
Michael Magrath, Director, Global Regulations & Standards,  OneSpan
August 01, 2019
The good news is the perpetrator was identified and arrested.
The Capital One breach is a classic example of the “insider threat” which has been present since the first merchant hung a shingle and sold goods and is certainly not limited to the digital age. The insider threat is not limited to employees and extends to third party providers as Capital One fell victim to. The third-party provider threat is a concern for CISO’s and regulators alike, which is why the New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) include specific requirements regarding third-party service providers. Under the regulation, banks and financial services providers must secure their own systems as well as implement third-party risk management programs. Coincidentally the regulation’s applicability for third-party service providers just went into effect in March of this year. According to the regulation, section 500.11, “The organization must document written procedures and policies to ensure third-party risk management programs protect information systems and non-public information.” Additionally, policies and procedures pertaining to third-party service providers are required to include relevant guidelines for due diligence as well as contractual protections, addressing: Access controls, including multi factor authentication; Encryption; Notifications to be provided to the primary organization in response to a cybersecurity event; Representations and warranties for a third party’s cybersecurity policies and procedures. The good news is the perpetrator was identified and arrested, however it remains to be seen the severity of penalties Capital One will incur from federal and state regulators. Although, Capital One is headquartered in Virginia it is licensed to conduct business in New York with branches in the state.
Laurence Pitt, Global Security Strategy Director,  Juniper Networks
August 01, 2019
All systems access can be audited and revoked fast when someone either leaves, or is removed, from their employment.
This is a real wow – and very worrying. Malicious insiders are a huge risk to any organization, someone who is unhappy can be subverted for either money or simply to cause damage and disrupt business systems. The alleged hacker had previously worked for Amazon, and accessed Capital One servers rented from AWS. This would seem to indicate that she either knew of a weakness in AWS and took advantage (unlikely) or retained access to AWS cloud in a way that allowed her to gain access to the Capital One systems. This latter would still be a complex hack though as I’m sure that C1 would be using multiple factors to authenticate including tokens or SMS messaging codes. The bottom line is that anyone can become malicious if they are unhappy, and any organisation which grants high-levels of access rights to their systems also needs a process which can simply and quickly revoke said rights. We often here about zero-day start processes which ensure that a new-starter has a laptop, phone, email and ability to work as soon as they join – how about ensuring that they also have zero-day stop too? Meaning that all systems access can be audited and revoked fast when someone either leaves, or is removed, from their employment.
Staurt Reed, VP of Cyber ,  Nominet
August 01, 2019
When a hacker has gained a foothold on the network, as in this instance, data theft through a variety of methods can be exploited.
With 100 million individuals in the US and 6 million in Canada affected by the Capital One security breach, it is significant to financial institutions around the world. Although the amount of information that Capital One has released on the security incident is clear and transparent, it demonstrates the extent of data at risk. Digital transformation and a continual stream of new technologies coming into business infrastructures means that security teams need to be extra vigilant in ensuring systems – both legacy and new – can integrate seamlessly without opening up vulnerabilities. When a hacker has gained a foothold on the network, as in this instance, data theft through a variety of methods can be exploited. Having systems in place on the network to identify anomalous behaviour at an early stage can mean the impact of an attack is reduced.
James Hadley, CEO,  Immersive Labs
August 01, 2019
If your security team does not know how to deploy it correctly then it can still leave you vulnerable.
The Capital One breach is proof that companies have a lot to learn when it comes to deploying security technology effectively. From reading their description of the breach, you would be forgiven for thinking it was an elite hacker exploiting a vulnerability. In reality, as stated by the FBI, it was simply a poorly configured firewall that allowed the hacker in. “When it comes to cybersecurity, teams need to know what an insecure system looks like. This will help prevent them from deploying expensive security technology in an ineffective manner. This challenge is made more difficult by hackers constantly changing their tactics, leaving the threat landscape in flux, and demonstrates a need for practical training based on real threats. Security teams need to be constantly training themselves on the latest techniques so they can quickly identify vulnerabilities when they see them in a live environment. Continuous learning based on real threats is the only way to ensure that teams know what they should be looking for and how to defend against it, there is no substitute that can be achieved in a classroom, cyber security just moves too fast. “It does not matter how advanced your security technology is, if your security team does not know how to deploy it correctly then it can still leave you vulnerable.
Sam Curry, , Chief Security Officer,  Cybereason
August 01, 2019
Regardless of whether this woman has any offensive skills, if any, as a hacker, she\'s likely to be a hot mess on the defensive side.
For all intents and purposes, it looks like Capital One had some good security practices in place as evidenced by tokenization of data shown so far. As a positive, the FBI made an arrest quickly and there is a chance to minimise the damage. Normally, its months, years or never in terms of arrests and accountability of the criminals. Finding things sooner in the lifecycle, always limits the impact and damage to the innocent. Unfortunately, it’s hard to say what data was lost by classification of customers. I highly recommend that Capital One explain this more carefully so the public and its customers can take the appropriate steps. I expect them to do so. This woman seems aptly named, erratic. It would appear that at least part of her motive was ego driven and she has something to prove, implying that she may not have ties to organised crime or have sold this data. The forensics trail needs to be chased immediately, to eliminate her disclosure of the data. Regardless of whether this woman has any offensive skills, if any, as a hacker, she\'s likely to be a hot mess on the defensive side. Her disclosure and online flailing are fresh meat in the water for sharks, and hackers are no doubt tracking her electronic signals to find her stashes of Capital One data. The longer law enforcement and Capital One takes to secure the lost data in her digital footprint, the more likely truly malicious actors will obtain it and use it.
Dave Atkinson, CEO,  Senseon
August 01, 2019
In this case it only took one hacker to find this vulnerability and take Capital One for all the valuable data they could seize.
This massive data breach is another reminder of the complexities and difficulties large corporations face with safeguarding their data, where something as simple as a misconfiguration within their infrastructure has the potential to expose hundreds of millions of customers’ data. ‘In this case it only took one hacker to find this vulnerability and take Capital One for all the valuable data they could seize. While the culprit has been caught, there is a lesson to be learned here. It’s a real demonstration of why businesses need to have total visibility of their IT environment to firstly, identify potential vulnerabilities before they are exploited and secondly, detect malicious activity as early as possible to halt the attack. Misconfiguration vulnerabilities plague businesses in all industries and this is a red flag that attackers are actively looking to exploit them.
Tom DeSot, EVP,  Digital Defense
July 31, 2019
The circumstances around the Capital One breach
The circumstances around the Capital One breach highlights the need for increased scrutiny of hosted security applications. As enterprises and networks become more distributed and network resources – including security applications – are allocated to the cloud, the security applications themselves, whether commercially available or custom designed, must be regularly tested and monitored to ensure they are secure and free of misconfigurations that could be leveraged for exploit.
Felix Rosbach, Product Manager,  comforte AG
July 31, 2019
Classic defense like firewalls only protect you from known attack methods and often fail when it comes to insider threats.
The risk of a breach is higher than ever before for financial institutions. Those breaches create a lot of stress on both the issuers’ side and on consumers as fraud is easy to commit with stolen account information. Classic defense like firewalls only protect you from known attack methods and often fail when it comes to insider threats. It’s crucial to protect sensitive data over the entire data lifecycle. A lot of organizations use classic encryption to do that. While Capital One stated that they are encrypting their data as a standard, “particular circumstances” enabled the decrypting of data. Due to complex key management and the fact that keys can be shared or exposed, classic encryption can fail. Fortunately, Capital One used tokenization to protect social security numbers and account numbers. As this is a different approach to data security - ideally not involving the distribution of keys - the tokenized data remained protected. However, recent tokenization technology could have been used to protect not only social security numbers and account numbers but also personal information, customer status data and transaction data. Implementing data centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary, is the only way forward. Acquirers, merchants and issuers should only use tokens instead of clear text data to process payments and store sensitive data. If hackers get access to these tokens, the data is useless. This also reduces stress on both sides: for businesses and consumers.
Javvad Malik, Security Awareness Advocate,  KnowBe4
July 31, 2019
Details are still emerging, it may not be all bad news for Capital One.
The Capital One breach is huge, and echoes the Equifax breach in that not only has it impacted over 100m individuals, but that the breach occurred 4 months ago. While details are still emerging, it may not be all bad news for Capital One. A researcher notified Capital One of a vulnerability on July 17th, which initiated an internal investigation, not only uncovering the breach, but also resulted in one individual being arrested, all within two weeks. This represents a quick turnaround and shows that while threat detection capabilities may have been lacking in the ability to pick up the breach, the company was paying attention to disclosed reports and had a quick and competent response capability to hand.
Ilia Kolochenko, CEO,  ImmuniWeb
July 31, 2019
One more example of web applications as the Achilles’ Heel of modern financial.
“This is just one more colourful, albeit lamentable, example that web applications are the Achilles’ Heel of the modern financial industry. Reportedly, the intrusion had happened in March but was noticed only upon notification in late July. Given Capital One’s [comparatively] immense capacity to invest into cybersecurity and the allegedly trivial nature of the vulnerability, such protracted detection timeline is incomprehensibly huge. Legal ramifications of the breach may be both exorbitant and protracted, including regulatory fines and penalties, individual and class action lawsuits by the victims. Talking about the alleged suspect, one should remember about presumption of innocence. The person in question could have been tricked to access or download the data without any intent to sell it or use with malice, serving as a smoke-screen to mislead law enforcement agencies. Until all the circumstances of the incident become crystal-clear, it would be premature to blame anyone. Victims should now carefully monitor their credit scores and be extremely cautious about any abnormal activities with their accounts. If the data was stolen and sold, we may expect a wave of sophisticated spear-phishing.”
Steve Armstrong, Regional Director UK, Ireland & South Africa ,  Bitglass
July 31, 2019
Controls are essential.
“Access to cloud data repositories should be controlled by contextual access control as a bare minimum - by first identifying the user, the device and location of access organisations can take policy-based remediation of these types of issues. Furthermore, data centric controls should be applied - data encryption tied to the data owners key management system would have gone some way to mitigating the risk of plain text data being stolen. By tying this to IaaS posture management to ensure that S3 buckets are secured in line with best practice the risk to the data would have been mitigated.”
Tim Mackey, Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center),  Synopsys
July 31, 2019
Tim Mackey, Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center) said
The disclosure by Capital One of a breach impacting 100 million users highlights the importance of auditing your software supply chain regularly and validating the current configuration of systems against their expected state and then auditing all access against expected actions. As identified in the FBI Complaint, access was facilitated by a misconfiguration of a firewall. Once able to access Capital One’s systems using this account, the accused perpetrator was able to identify an account with access to Amazon S3 storage used by Capital One. Armed with this access, the perpetrator was able to list the contents of the S3 buckets and then copy the data in them. Forensically, Capital One identified that certain specific files were only accessed by this account once in the time period in question. Such limited use accounts are prime targets for malicious activity as they often fall below the “top 10” usage stats and thus should always be monitored for unexpected or unexplained usage patterns. Importantly, had the perpetrator followed a responsible disclosure process, such as the one published by Capital One and used to report the location of the breached files, then she might not be facing these criminal charges and we as consumers might have avoided yet another instance of our personal data becoming available for public consumption. This type of system misconfiguration and elevation of access is the type of thing white hat security teams seek to identify and report to system owners.
Jonathan Bensen, CISO,  Balbix
July 31, 2019
The key to preventing a breach like what Capital One has suffered is to leverage security tools that employ AI and ML.
“Despite what has been reported, this data was not hacked from Capital One. The accused individual was charged with intentionally accessing a computer without authorization that contained information belonging to Capital One Financial Corporation. Fortunately, Capital One has a responsible disclosure program that allowed a good samaritan to contact the company and let it know about the leaked S3 data in the accused’s GitHub. Misconfigurations have become commonplace and have led to several known data breaches in 2019, including instances affecting Total Registration, Orvibo and Tech Data. To get an accurate idea of breach risk, organizations need to analyze a lot of data – up to several hundred million time-varying signals from the extended network of devices, apps and users. This involves continuously monitoring all enterprise assets across hundreds of potential attack vectors to detect vulnerabilities and analyzing this data to produce risk insights. The key to preventing a breach like what Capital One has suffered is to leverage security tools that employ artificial intelligence and machine learning that analyze the tens of thousands of data signals to prioritize which vulnerabilities to fix first, based on risk and business criticality. Obviously in this case, adding a password to the AWS server containing over 100 million records of sensitive personally identifiable information (PII) should have been prioritized. Organizations must adopt advanced security platforms to get visibility into their cybersecurity posture, proactively manage risk and avoid breaches instead of reacting to a security incident after it occurs.”
Igor Baikalov, Chief Scientist ,  Securonix
July 30, 2019
Capital One is a standout in the financial institutions community by going public cloud while most of its peers hedged the risk by implementing additi
The perpetrator of this breach was identified unusually fast and turned out to be a former employee of AWS, a cloud computing company contracted by Capital One, according to NYT and Bloomberg. Capital One is a standout in the financial institutions community by going public cloud while most of its peers hedged the risk by implementing additional security controls around their private clouds. This fact alone shouldn\'t be considered a setback for the adoption of public cloud. It should rather be viewed as another harsh reminder of the importance of third party security and insider threat programs for both providers and consumers of public cloud services.
Jake Moore, Cybersecurity Specialist,  ESET
July 30, 2019
Capital One didn’t report it publicly for nearly two weeks after the breach occurred, until the FBI had arrested someone - something that the ICO has
All it took was a misconfigured firewall and an experienced software engineer with some clever knowhow to compromise all of this data. It is thought that the alleged criminal hacker once worked for Amazon Web Services, which makes this attack more of an insider threat and should remind companies how important it is to not overlook such risk. Interestingly, Capital One didn’t report it publicly for nearly two weeks after the breach occurred, until the FBI had arrested someone - something that the ICO has clamped down on in the UK. By letting the affected customers aware at the earliest opportunity can help defend them from any future fraud should the data reach the dark web.

Join the Conversation


In this article