By Ilia Sotnikov, Vice President of Product Management, Netwrix
Data breaches that affect financial institutions always become hot topics to discuss. The recent hack at financial giant and credit card issuer Capital One exposed records of almost 106 million people, which makes it one of the largest hacks in the banking industry ever. This breach took place just a week after Equifax reached a $650 million consumer settlement related to the 2017 breach, which is a sad reminder that no one is safe against breaches and we still lack security.
I would like to share the key facts about the hack to answer the most popular questions and provide recommendations that may help organizations mitigate similar risks.
What happened?
According to Capital One, the breach happened on March 22 and 23, 2019, when an intruder exploited a weakness in a misconfigured web application firewall to gain privileged access to company data stored in an Amazon Web Services (AWS) database. Capital One learned about the breach from a tip sent via email on July 17, which said that some of the company’s leaked data were posted on the software development platform Github.
Who is to blame?
On July 29, FBI agents arrested the software developer and former Amazon Web Services (AWS) employee Paige A. Thompson. According to the criminal complaint, Thompson exploited a misconfigured firewall to access, copy and download nearly 30 GB of sensitive data from an AWS server, where Capital One stored this data. Later she posted on GitHub about her theft of this information.
What was the damage?
This hack exposed the records of almost 106 million people from the U.S. and Canada. All this personal information is related to credit card applications from 2005 to early 2019. Among the data exposed were names, addresses, dates of birth, credit scores, transaction data, Social Security numbers, and linked bank account numbers. Specifically, Capital One mentions 140,000 stolen Social Security numbers and 80,000 linked bank account numbers, as well as 1 million Social Insurance numbers for Canadian customers and applicants.
How did Capital One handle the breach?
Despite Capital One became aware of the breach several months after it happened, the company has demonstrated good cybersecurity practices during this breach. They appeared to know what data they store and were able to selectively protect the most sensitive. For example, although credit applications of millions of people were stolen, no credit card numbers and a relatively small amount of Social Security numbers were compromised due to the bank’s practice to tokenize these pieces of information. Capital One was also prepared to isolate and patch the vulnerability in under 10 days, once it was reported. Finally, Capital One is demonstrating clear and timely communications, which is extremely important in keeping the public’s trust in the aftermath of a breach.
Why is this breach unique?
This incident is different from most we hear about for several reasons. First, cybersecurity attacks are usually hard to attribute. In this case, the alleged hacker has been arrested just 10 days after the breach was discovered. While the defendant was trying to cover her tracks, she herself described the hack in several messages on Slack and Twitter. Second, it looks like the hacker was not looking for financial or political gain, but rather just enjoyed cracking complex puzzles. This leads us to believe the stolen data was isolated and is less likely to be used for fraud or other unlawful activity.
Overall recommendations: how can you mitigate the risk of similar breaches?
This data breach highlights the importance of user activity monitoring. The attacker gained access to data through a misconfiguration in a web application firewall and likely compromised a privileged account. To mitigate the risk of such incidents, you need to automatically track the activity of users and set up alerts on both violations of security policy and deviations from normal patterns of behavior, such as attempts to copy a large number of sensitive files. You also need to have controls to investigate the activity of any user across the IT infrastructure, especially when potentially suspicious actions are flagged.
About the Author
Ilia Sotnikov is an accomplished expert in cybersecurity and IT management. He is Vice President of Product Management at Netwrix, provider of a visibility platform for data security and risk mitigation in hybrid environments. Netwrix is based in Irvine, Calif.
