Capital One, one of the nation’s largest financial institutions announced that one of its employees has gone rogue and was responsible for stealing information from consumers, and small businesses.
This information included personal information Capital One collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:
- Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
- Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
Approximately 140,000 Social Security numbers and 80,000 linked bank account numbers were also compromised as part of the theft. 1 million Canadian Social Insurance Numbers were compromised as well.
Capital One stored consumer and small business information on S3, a cloud storage offered by Amazon.com.The court complaints detail the investigation conducted by the FBI that enabled an attacker to access download data from Amazon S3 from up to 700 different S3 Buckets.
There have been a number of different data breaches related to improper security controls at various organizations using Amazon S3.
Something as simple as a misconfiguration can have huge consequences to an organization’s reputation. With a growing number of data breaches from medical records to how one purchases, it is starting to paint a comprehensive picture on the average individual. With any technology implementation, due diligence must be performed to reduce the likelihood of a cyber breach.
Cloud Computing does not outsource risk and security
Cloud computing is simply borrowing someone’s computer. By no means does it equate to transferring the risk and security responsibilities to that entity. Risk and threat models need to reflect the change of ownership of computers, and where data lives on a day to day basis. At the end of the day, it is on executive management and senior management to understand and accept that risks and security burdens are still on the organization but appears differently operationally. Cloud is not the silver bullet to your security challenges.
We are all human. We make mistakes. No one is perfect. It is the reality of being mortal. It is important that assessments, audits, penetration tests, and red team engagements are performed on a regular basis. It is even more important that the mantra of trying to “pass” these engagements by any means possible be put behind us. Achieving a passing score is an important metric but achieving it by any means possible sets an entire organization back because it does not allow the necessary resources to be allocated to address gaps identified during these reviews. When sick, we do not get better unless we disclose all the symptoms to a doctor can assess and prescribe the correct medicine.
Technologists, practitioners, subject matter expects, and management need better soft skills. The days of assume that management understands everything is long gone. The days in which technologists and practitioners staying in their cubicles or digital walled gardens is no longer possible. Technical experts need to improve their abilities in communicating risks of adopting technology. Management needs to press upon their technical experts to due proper due diligence to identify risks.
Audit, Logging, Monitoring, and Acting Upon Them
A huge saving grace for Capital One was the level of detail the logs enabled them to reconstruct the series of unfortunate events. Organizations should have robust logging and controls in place to protect those logs. However, despite Capital One having these logs, the data breach went undetected for close to four months. Consistent active monitoring and knowing what to look for is essential to identifying anomalies quickly and rapidly. Your threat hunters are looking for needles in ever growing haystacks.
This data breach joins the long line of many. We can not accept that data breaches are the new norm. As we learn more from this insider attack, more lessons we should learn to minimize the likelihood of another data breach of this magnitude. We must be vigilant to protect our stakeholders who entrust us to protect our data, our identity, and our livelihood at all times.