The news cycle in cybersecurity over the last 24 hours has been around the breach that CapitalOne is going through.
I have said it yesterday and I will say it again in this email, CapitalOne is a victim of a crime. We need not pass judgement or start the speculation market. The fact is CapitalOne has a very mature cyber program in today’s industry standards.
The breach in size isn’t nearly as big as Equifax or Marriott and the amount of vital information compromised is less than the recent AMCA breach that impacted the Healthcare industry, so let’s put this in perspective.
First, let’s review the facts:
1. 106M records were comprised mostly of applications by individuals and small businesses and the data exposed was date of birth, claimed income, names and addresses. No vital information was compromised, however see point #2 for the real account of that.
2. Of the 106M records, only 140,000 social security numbers and 86,000 linked bank accountswere compromised. The rest of the critical data was tokenized meaning encrypted within the cloud environment. See paragraph above for my point on this.
3. The hacker was an internal malicious player. While she didn’t work for CapitalOne, she did work for the cloud provider in this case Amazon Web Services and used her internal knowledge to take advantage of a vulnerability within the cloud infrastructure CapitalOne had. Internal threats are real and many breaches this year were due to third-party companies.
4. The Firewall which was misconfigured was the real weakness that caused the breach. Most enterprise organizations employ many firewalls and end point detection systems and prioritize their configuration and implementation on the importance of data and in this case, most of the important data was tokenized and encrypted, so it’s likely the basic configuration was put in place and tightening the screws was scheduled for a later date.
5. CapitalOne bug bounty program worked. They were notified of the breach and within two days were able to confirm and called in law enforcement to assist and find the perpetrator of the breach.
6. The hacker, Paige Thompson was bragging online about the breach and posted some data on popular code hosting site Github (Owned by Microsoft) and it’s reported that the information came from someone who saw the information on Github and notified CapitalOne.
Those are the real facts at this time, so in hindsight how bad is this breach?
I won’t claim it isn’t a bad breach, it’s bad but in hindsight, some of the basic cyber hygiene and fundamentals were in place and the incident response plan worked. The PR by CapitalOne has been Steller, transparent as much as possible and accepting responsibility for their mistakes. The significant PII was encrypted making most of the data obtained by the hacker, most of the data compromised is public data or data already exposed in other breaches like Equifax and others.
Overall, while the MSM is quick to label this a huge breach, as a cybersecurity professional, I have to salute the CapitalOne cyber team for a job well done in responding and remediating the incident.
Should we crucify them?
My answer is NO!!!
We expect organizations to be 100% safe at all times and in today’s cyber space that’s not the case at all. It’s an impossible mission to be asked of them. If you consider the overall picture here, CapitalOne did everything possible to have a solid program in place. There were able to account for data quickly and made the proper notices within a fast time frame.
Two discussions points should arise from this breach:
The first is, I am sure an investigation into CapitalOne will take place when it should be at Amazon Web Services and examining how an employee there was able to do this. They will get some sort of fine and they will do the right thing by compensating those individuals and businesses that were actually impacted from this breach. Somehow Amazon will end up paying CapitalOne something for this.
The other discussion is around data hoarding. How long should organizations keep data around for, what’s the purpose of this data and who is it serving?