Capital One Data Breach Highlights Need for Supply Chain Security

The Capital One data breach includes credit card applications as far back as 2005.

Edward Gately, Senior News Editor

July 30, 2019

5 Min Read
Data breach
It's hard to imagine why, in this day and age, only 5% of companies properly secure their data.Shutterstock

If Capital One’s in your wallet, you may have a problem.

Capital One has confirmed that a malicious hacker gained access to more than 100 million of its customers’ accounts and credit card applications earlier this year. The data breach affected about 100 million individuals in the United States and about 6 million in Canada.

The largest category of information accessed was information on consumers and small businesses from when they applied for credit cards from 2005 through early 2019. This information included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income.

Other information included credit scores, credit limits, balances, payment history, contact information, about 140,000 Social Security numbers of credit card customers, and about 80,000 linked bank account numbers of secured credit card customers.

The FBI has arrested Paige Thompson, a former AWS employee in Seattle, for allegedly hacking into a server rented by Capital One.

“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” the bank said. “However, we will continue to investigate.”

Wisniewski-Chet_Sophos.png

Sophos’ Chet Wisniewski

Chet Wisniewski, principal research scientist at Sophos, tells us the loss of consumer information at Capital One is another example of a trend in data loss incidents that are becoming increasingly commonplace — especially in recent months.

“Supply-chain security is a critical component for information security, and as organizations embrace cloud technology, they need to understand and address the inherent risks to information stored there,” he said. “Securing every aspect of the supply chain has never been more important, and that not only includes the physical and software components of information systems, but also staff and the staff of those who provide you with the services needed to deliver your product.”

Protecting sensitive information you have been entrusted with applies whether that data is stored on your own computer equipment or someone else’s, Wisniewski said.

“Encryption and access control is essential regardless of where, and especially if, you are storing sensitive business data,” he said.

Rob Cataldo, Kaspersky‘s vice president of U.S. enterprise sales, tells us it appears the attacker exploited a misconfigured web application firewall that gave her privileges to access S3 data on a cloud-hosted server. Without knowing the extent to which this misconfiguration occurred or the exact method used for exploitation, it’s difficult to tell whether an improved posture may have prevented the breach from happening, he said.

Cataldo-Rob_Kaspersky-Lab.jpg

Kaspersky’s Rob Cataldo

“Unfortunately, this event validates that data breaches are becoming inevitable, even for organizations with sizable investments and resources dedicated to cybersecurity,” he said. “This being the case, security vendors and MSSPs should be proactive in ensuring their customers are optimally configured and trained through proper customer life-cycle management, the result of which could be prevention or earlier detection of a breach. Moreover, vendors and MSSPs with knowledge in this space should help prepare organizations in case of a breach to best minimize the damage caused through authoritative, appropriate, accurate and timely actions.”

Monique Becenti, product and channel specialist at SiteLock, tells us a breach like this indicates that even digitally minded organizations can be impacted by a cyberattack. Data breaches not only impact operations, but can jeopardize …

… fleeting consumer trust, she said.

Becenti-Monique_SiteLock.jpg

SiteLock’s Monique Becenti

“With this breach in particular, small business owners were one of the primary groups affected, so this reminds us that businesses of all sizes must always remain actively involved in proactively securing their digital assets and identity,” she said. “With every breach there are a number of lessons to be learned for MSSPs and cybersecurity providers. Above all, breaches indicate the importance of being proactive about security. Businesses can prevent attacks like this by consulting with their cloud-hosting provider on what they can do to secure their cloud server. While providers offer out-of-the-box security tools and configurations, it’s important for businesses to know where the security ends [and] their responsibility begins. When it comes to protecting sensitive data, encryption is a priority a business must keep in mind when protecting consumer data.”

According to a new study by IBM Security, the cost of a data breach has risen 12% over the past five years and now costs $3.92 million on average. These rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks.

The financial consequences of a data breach can be particularly acute for SMBs. In the study, companies with less than 500 employees suffered losses of more than $2.5 million on average — a potentially crippling amount for small businesses, which typically earn $50 million or less in annual revenue.

Cataldo said the following recommendations can go a long way toward helping organizations mitigate breaches of a similar nature:

  • Set up a method or medium that allows responsible disclosure of breaches or vulnerabilities (CapitalOne had this mechanism in place).

  • Have configuration validation and continued assessment of security controls for all security tools.

  • Work with cloud providers when necessary to ensure relevant logging is enabled for your infrastructure.

  • Categorize data in the cloud and employ data leak prevention solutions.

  • Conduct a configuration review of your infrastructure, especially where sensitive data resides and align them with security best practices.

  • Enable automated alerts upon unauthorized changes in the settings from the system baseline configuration.

  • Enforce multifactor authentication (MFA) for administrative accounts.

  • Use threat data feeds to block network connections originating from malicious network addresses or from known TOR/VPN exit nodes.

  • Use a dedicated security product for cloud protection that detects threat activity inside the cloud environment.

Read more about:

MSPs

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like