By The Integrity360 Team on August 06, 2019

5 lessons to learn from the Capital One data breach

Cyber Security Testing, Breaches, Alerts & Advisories, Financial Services & Insurance

Data breaches in the financial services sector are never taken lightly considering the potentially devastating fallout that can take place in their aftermaths. The recent data breach reported by Capital One is being treated no differently.

The US-based banking institution recently informed the public that it suffered a major security incident. While the data breach was discovered in late July, the actual actions took place months beforehand.

Although details are still slowly but surely being revealed, it’s already clear that the Capital One data breach will be an event that everyone in security can learn a few lessons from.

What happened in the Capital One data breach?

Before breaking down what companies can take away from the incident, let’s dive into what actually happened first.

On July 19th 2019, Capital One became aware that an unauthorised user was able to access the sensitive information of its customers. After securing the servers that the data lived on, the company worked with the authorities to arrest a suspect who had previously worked at a major cloud computing company in Seattle as a software engineer, according to ZDNet. Capital One worked with the company for its cloud computing needs.

The breach has been estimated to impact 100 million Americans and 6 million Canadians. The data that was accessed includes:

  • Financial information such as credit scores, credit limits, balances and payment history.
  • Transaction logs.
  • Roughly 140,000 Social Security numbers.
  • Around 80,000 bank account numbers.

Luckily, Capital One does not believe that the information has been actively used for fraud. Still, the company is making remediation services readily available including free credit monitoring and fraud protection. Capital One’s estimate puts the financial fallout of the security incident in the $100 million to $150 million range, according to ZDNet.

The security incident itself spawned from a misconfigured firewall which, when exploited, gave the suspect access to its cloud storage buckets. At the time of arrest, the suspect had a list of hundreds of buckets. The vulnerability was reported to the bank by a researcher who found data sitting on a public GitHub listing under the name of the now-arrested suspect, which is how Capital One found out about the data breach.

Lesson #1: Carry out regular penetration tests

Capital One is like any other bank in the world: it spends a considerable amount on the security of its digital infrastructure. But what’s still unknown is how often it tests the resiliency of that infrastructure.

Penetration tests are valuable tools in showing companies where they lack security and where their investments are truly working. Without it, businesses nearly leave protection from a data breach up to blind faith; hackers won’t target the most secure parts of the company, they’ll go for the weakest elements.

While penetration tests likely won’t find every single vulnerability in a company’s infrastructure as new exploits are being developed daily, booking routine exercises can limit the chances that a hacker is able to take advantage of one.

Lesson #2: When a data breach happens, people want people

The Capital One data breach isn’t like the Equifax data breach of 2017 for a few reasons. At the outset, the potential damage or fallout from this security incident is likely limited because a suspect is already in custody and there’s believed to have been no action taken from the data that was accessed. In the Equifax data breach, the individuals behind it still haven’t been caught.

That provides an amazing amount of reassurance to customers. But what also offers customers a bit of comfort is when a CEO is at the front of a breach – not the IT or security team. Here’s where both companies got it right – the initial press releases from Equifax and Capital One included comments from the CEO.

It’s absolutely essential that a leader steps forward and reassures their customers after a data breach (and it often happens) despite the fact that they weren’t involved in any way aside from decision making. Expect this to continue as a trend moving forward.

Lesson #3: Build and configuration reviews are worth their weight in gold

When cloud storage servers and database are launched, they’re accompanied with strong default security settings. But what happens is that these settings are often changed as contractors work on the servers, resulting in them being far less effective.

It’s uncertain exactly how the suspect exploited the misconfigured firewall in the case of the Capital One data breach, but it wouldn’t be all that uncommon if it were due to weak settings being left weak – rather than someone returning them to default or an even stronger configuration after the initial work was done.

Cloud migrations can often be done in a hurry and security might be left on a list of things to do. Make sure cyber security is at the forefront of any decision being made by regularly reviewing firewall configurations to identify potentially vulnerable areas that could lead to a security incident.

Lesson #4: Always be monitoring the network

Not every company can afford their very own Security Operations Centre (SOC), even if it’s in the financial services sector. But the Capital One data breach reminds us of the importance in having a team always monitoring your network.

The suspected hacker’s activity may have set off alerts if the right policies were in place. A dedicated, 24x7x365 SOC team would have seen those alerts and quickly acted on them. Instead, the data breach went under the radar for months before Capital One was able to find out.

Lesson #5: Don’t be afraid of the Dark Web

Capital One found out about the breach because some of the data that was stolen was sitting publicly on the suspected hacker’s GitHub. Not every company can expect to get this lucky.

But that doesn’t mean that businesses can’t monitor the Dark Web (and the normal web too, but don’t expect many results) to track whether their data is in someone else’s hands. In many instances, this information is readily available for sale before the breached company even figures out they’ve suffered a security incident. Monitoring the Dark Web is part of a mature approach to threat intelligence.

We can’t all be perfectly secure in the era of continuous hacking innovation, and Capital One is just another example of what can happen when you aren’t always trying to improve your cyber security. Interested in learning more about protecting your assets and digital infrastructure? Contact Integrity360 today.

The Essential Guide to Penetration Testing

Sign up to receive the latest insights

Join our cyber security community to stay up to date with the latest news, insights, threat intel and more right in your inbox.  All you have to do is choose how often.