Capital One Caught With Its Security Down — Again

Paul Vallée

If you’ve been following this blog for any length of time, you’ll know we spend a lot of time talking about the latest data breaches, and how Tehama’s approach to security would have prevented them. After a while, stories about cyberattacks can all start to sound alike. But yesterday’s report of a new breach at Capital One, hot on the heels of the massive Desjardins incident, is clearly establishing a pattern we must urgently work to stop. It’s a particularly shocking illustration of the modern financial enterprise’s continued vulnerability, and it shows in humiliating detail how much damage can be caused by just one person. 

In Capital One’s case, the stolen data included 140,000 social security numbers, 80,000 bank account numbers, and one million Canadian social insurance numbers. In total, the breach compromised the information of more than 100 million Capital One customers and credit card applicants.

Numbers like these have become familiar when talking about data breaches. But the truly unsettling news here is that the hack appears to have been discovered only after the alleged hacker bragged about her accomplishment online.

According to news reports, the Seattle woman had previously worked as a systems engineer for Amazon Web Services, which hosts Capital One’s remote data servers in its cloud. After leaving AWS, it’s charged, the engineer accessed the trove of data through a misconfigured firewall on Capital One’s web application. This opening allowed the hacker to access Capital One’s servers and download the customer information stored there.

The theft might have gone undiscovered, but the accused then announced it on Slack, boasting, “I’ve basically strapped myself with a bomb vest...dropping capital ones dox and admitting it.” She was arrested after an anonymous tipster alerted the bank on July 17.

In a statement, Capital One said it anticipates the breach will cost it up to $150 million in settlements. That estimate might well prove to be optimistic. After the notorious 2017 Equifax breach leaked the information of 147 million consumers, the credit bureau ended up agreeing to payout at least $650 million. Even that amount is ridiculously low, amounting to only $4 per person affected. Clearly the standards of care and consequence in private data are inadequate.

Okay, let’s break down some obvious takeaways from all of this. Apart from the hacker’s apparent thirst for attention, there is very little that’s new in this story. The weakness here wasn’t in the AWS cloud, but in the application that Capital One placed there. No cloud provider is responsible for the security failings of its clients. Capital One might fire the poor soul who erred in configuring the firewall, but the actual responsibility for security resides much further up the food chain — especially since Capital One experienced a similar breach just two years ago.

To put it bluntly, the day of reckoning on security matters arrived long ago, even if repeat offenders like Capital One choose to remain oblivious. Appropriate solutions are already available, and not only Tehama, any bank could make sure all access is brokered through traditional privileged access management and secret sharing solutions from BeyondTrust, CyberArk, ObserveIT, Centrify, I could go on and on. They are just not bothering. NYDFS 23 NYCRR 500 points the way forward, but even that is toothless as CapitalOne comes out unscathed. The open question becomes how do we motivate enterprises to do the right thing when the consequences are so low and borne mostly by others, either because it’s their customer that pays the price, or because of the global trend of security through liability transfer (which is really no security at all, just figuring out who pays the inadequate price).

The easiest path to actual security for data access and actual compliance is through Tehama. Tehama is a complete SaaS-based work environment that ensures instant security compliance through 105 built-in controls. If I seem annoyed and frustrated, it’s because THIS IS WHY WE BUILT IT. To permit 300+ database and systems administrators at Pythian to do their job serving over 150 enterprises… without incident or exposure. Inside Tehama, any work done on the platform continues to conform to those security requirements, with every activity on the platform generating a permanent record.

Tehama provides clean end-user compute white rooms that give you total control over access to your mission-critical and data-sensitive applications. They act like airlocks for data - you can let your global workforce, internal and service providers, into the room. The firewalls, the storage, the infrastructure, and the access policies are all provided for you in one place, and they are managed by you from one dashboard with a single sign-on. These contained and collaborative workspaces operate as a virtual extension of your secured business infrastructure in the cloud. In just minutes, you can onboard users and launch ready-to-work Tehama Rooms for collaboration on Microsoft Windows or Linux virtual desktops.

With Tehama in place, you’re actually protecting your customers’ data, while reducing the risk of reputational or financial costs now facing Capital One. To learn more about Tehama, download our white paper. Do me a favour, either adopt Tehama, or roll your own even better solution, or spend millions on CyberArk or BeyondTrust or whatever you want. But please, stop losing our data, you are breaking the future and it has to stop.

More Posts

Subscribe Here!