Recently, we learned about the latest data breach where 106 million Capital One customers in the USA and Canada had personal details stolen.
The data theft resulted in the loss of names, addresses, postal codes, phone numbers, email addresses, dates of birth, self-reported incomes, credit scores, credit limits, balances, payment history and contact records from 2005 to 2019. It also included about 140,000 social security numbers of credit card customers and about 80,000 linked bank account numbers of secured credit card customers as well as about 1 million Canadian Social Insurance Numbers. By any measure, this was a massive amount of data.
New Legislation Promises to Safeguard Data
In this particular case, what was surprising was how fast the incident was resolved. The perpetrator was identified, her house was searched, and she was arraigned on charges a couple of days later – incredible speed for a crime of this sort! Obviously, the recent focus on security measures, industry best practices, legislation like GDPR and corporate promises to better safeguard data has all paid off, right? Nope.
Did Capital One Get Lucky?
This hacker was not so bright and literally bragged about her exploit on GitHub. A fellow user reported her around June 19th (months after the hack) when they realized the hacker was trying to sell the data. That user notified Capital One via an email address dedicated to bug reporting and that’s the first they heard about it.
Full credit to the FBI which investigated quickly identified the hacker and were searching her house within days, but if she hadn’t been so reckless Capital One never would have known. In fact, her carelessness online made it simple for the FBI to cross-reference posts on multiple platforms in order to find her name, address, and other details. Some security experts are even speculating that she wanted to get caught.
There can’t be an infosec person that is shocked by the @capitalone vuln details - especially at massive corps.— Nicholas J. Percoco (@c7five) July 30, 2019
What surprises me is the “attacker”, @0xA3A97B6C, either didn’t understand the gravity of their actions (& was very sloppy) or did & just really wanted to get caught.
So, where does this leave Capital One? Right back in the same place as most other companies that have had data breaches. They apparently misconfigured their AWS systems and exposed a “configuration vulnerability.” How many other systems are misconfigured is a good question. Whether or not Capital One would ever have noticed this on their own is an even better question; they certainly weren’t doing any effective security monitoring. In fact, given the history of organizations trying to downplay, deny or hide data breaches, it’s not uncharitable to wonder if this would have even made the news had the hacker not been arrested so quickly.
What is Capital One Doing About Future Data Breaches?
There’s also no information from Capital One on exactly what they’re going to do about this.
A statement on their web page claims, “We will notify affected individuals through a variety of channels. We will make free credit monitoring and identity protection available to everyone affected.”
It is unknown how long that’s going to take. Note that victims of the Equifax breach have only recently been given the option to make online claims for an incident that occurred back in 2017. They’re making the (now standard) claims about the importance of ‘safeguarding client data’ and ‘investing in cybersecurity’ but you can probably guess what that’s worth. Meanwhile, does anyone want to trust Capital One to protect their identity after they’ve already failed spectacularly at doing just that?
Ironic as it is to say this about a massive PR hit, Capital One got lucky. They had a breach, but identified the issue and nailed the perpetrator quickly – thanks to a random bystander. Organizations that don’t maintain good data security practices (i.e., configuring systems correctly) or that don’t engage in regular security monitoring (which would identify configuration vulnerabilities) will continue to see data hacks and breaches. The only question is: how many are happening that we don’t know about? Sadly, relief may only come in the form of hefty fines levied upon careless organizations for violating regulations like GDPR. Hopefully those fines will be big enough to force a change, but in the meantime you may want to keep an eye on your accounts.