In July 2019, leading financial organization Capital One received an anonymous e-mail revealing some bad news: “There appears to be some leaked data of yours in someone’s Github.”
This leaked data was revealed to be the personal details of about 106 million individuals across the US and Canada, mostly consumers and small business owners that have applied for credit card products, including their names, addresses, phone numbers, self-reported income, credit scores and payment history.
While some may breathe a sigh of relief to hear no card details were compromised, a hacker having access to this information creates more risk than it initially appears to. All data is of value – to someone else. While there is no immediate financial data involved, context created with the other information is a phishers paradise. In other words, over a hundred million Capital One customers are now at serious risk of fraud.
In reality, the hack started months ago, with experts predicting as early as March. Paige Thompson, the alleged perpetrator and a former Amazon Web Services (cloud host to Capital One’s data) employee, had initially run a scan of the Internet to find vulnerable computers through which she could access a company’s internal networks. In effect, she knocked on as many doors as possible to find those that were unlocked and unguarded.
The open door she found was through Amazon Web Services’ metadata service, allowing entry into Capital One’s systems. Once inside other flaws were found and exploited. Due to some misconfigured networks, Thompson was able to uncover sensitive credentials from the cloud that were essentially the keys she needed to get into the data vault, to be able to access and download the customer records.
This attack is likely to have been a Server Side Request Forgery, where a server can be tricked into connecting somewhere it should not have access. As this example shows, these attacks are more increasingly popular with cyber criminals due to the proliferation of cloud services. A lack of understanding of the potential vulnerabilities creates unnecessary risk for businesses securing data stored in the cloud. It is unclear, as of now, whether Thompson performed the same cyberattack elsewhere.
Data breaches of this variety are becoming more common. According to IT Governance, since the start of 2019, 9.7 billion records have been leaked. Today, it is now a case of ‘when’ your data will be compromised, not ‘if’ it will be.
Any very large source of data attracts a lot of attention from cyber criminals. Even if a small percentage fall for a subsequent scam, with a very large number of people impacted, it can still yield large sums of money. As more activities and assets are moved to the cloud and the complexity and interaction between services increase, it will become even more difficult to secure them.
The cloud used to be leveraged to stand up new services more quickly than could be done in-house, however the potential lack of control and increased threat vectors mean that organizations should start to dedicate more time to an overarching architecture – with the emphasis on security, security, security. Specialists who understand the threat landscape need to be employed from the outset and test the system as it is put together. The solution development team needs to include the usual architecture and network skill sets, but also include penetration testers and the operational team who will ultimately run and manage the solution. The increasing complexity of systems creates vulnerabilities that are harder for businesses to anticipate, but with the right team, risk can be minimized.
Credibility and accountability
Since the attack, Amazon has released a statement that passes all blame to Capital One. It says that none of Amazon’s services, including the metadata service, could have been the underlying cause of the break-in and that its service includes monitoring tools designed to detect these incidents. It is unclear, however, why these tools did not sound the alarm at any point at Capital One. In the cloud environment, a ‘simple’ misconfiguration or lack of patching can have devastating consequences – with cyber-criminals constantly looking for the weak link which enables in the initial ‘in’.
Capital One’s language in its messaging dodged the issue at hand. "No bank account numbers or Social Security numbers were compromised, other than: about 140,000 Social Security numbers of our credit card customers and about 80,000 linked bank account numbers of our secured credit card customers," the company wrote in a statement following the breach.
The major issue this breach calls attention to, then, is a lack of ownership and accountability. And while it does not fall under GDPR, we expect that will be a factor in deciding an upcoming fine for the company. Other countries and even individual US states are introducing legislation similar to GDPR which could well be used. At a time where cyber security needs to be a shared responsibility (GDPR makes this very clear), there is no place for finger-pointing, especially as consumers’ confidence in the general security of their data is waning fast.
As well as the threat of a significant fine looming over Capital One’s head, it also has to contend with the other consequences that come with a data breach; including reputational damage, consumer protection services and increased audit and insurance fees. The more this happens, the more distrust the general public has in online providers, meaning they are more likely to limit their online activities to a few select trusted suppliers, which will be bad for economies everywhere.
While Capital One has said it will make free credit monitoring and identity protection available to its affected customers, regaining trust does not come cheap. The company expects to incur between $100 million and $150 million in costs related to the hack, including customer notifications, credit monitoring, tech costs and legal support. The immediate market response is clear; Capital One’s shares dropped by 6% following the breach.
Prioritizing cyber security
Cyber security should be more of a priority for companies now than ever before. Even small mistakes, or a disgruntled former employee, can lead to huge losses, in terms of both money and trust. The attitude towards non-financial sensitive data needs to change – it should be viewed as just as important as the financial account (PCI) data itself and afford it the appropriate protection.
Monitoring activity, especially watching for sensitive data transfers, is a must and there are technologies that will ease the burden of this, including Clearswift’s Secure Web Gateway (SWG), which has the ability to inspect all content being downloaded from, and uploaded to, the web. Furthermore, by using lexical analysis capabilities together with Clearswift’s redaction and sanitization technology, hidden sensitive information and metadata can be automatically detected and removed from documents while being uploaded and downloaded. Hence, cyber criminals trying to steal metadata will not be able to transfer it to another system.
Good security is about defense-in-depth, and monitoring for data leaving the system is just one piece of the puzzle. System and network monitoring and regular patching of the operating system and applications is also essential. When using cloud services, ensure the provider has the appropriate security around its infrastructure, patching servers in a timely manner and watching for anomalous behavior on their networks. It might be that a cyber-attack is not targeting your organization, but you get caught up as collateral damage when another company, using the same service is attacked.