Image credit: AP | MGN
Capital One announced on Monday that on July 19, 2019, a hacker gained unauthorized access to accounts of over 100 million in the US and approximately 6 million in Canada. The largest category of information accessed was information submitted by consumers and small businesses as they applied for Capital One credit cards from the period of 2005 through early 2019. This information including names, addresses dates of birth, income, and in some instances Social Security numbers and bank account numbers. The individual responsible for the breach is in custody. For more on this, see the Capital One press release issued today. (Side note: It is particularly ironic to hyperlink to the Capital One website only to notice the site is not an HTTPS secure site.)
Capital One Breach — A Terrible, Horrible, No Good, Very Bad Day
Analyst Take: For Capital One there are a 100 million reasons the company had a terrible, horrible, no good, very bad day. This was the largest data breach to date for a financial services firm, announced on the heels of the news of the $700 million Equifax class action settlement for consumers affected by its data breach in the fall of 2017. This is also the third data breach suffered by Capital One involving customers’ personal data (one in 2014 and one in 2017).
For consumers, it seems like another day another data breach, but for financial services organizations, it’s another day that CIOs wake up in a cold sweat.
Capital One Breach — The Details
Paige Thompson, the suspected hacker, a software engineer and former Amazon AWS employee, hacked into a server holding customer information and then, unable to keep her success to herself, bragged about it online groups, as well as on Twitter and Slack. Smart cookie.
Investigators believe Thompson gained access through a misconfiguration of a firewall on a web app, which allowed her to communicate with the server where Capital One’s data was stored. While AWS hosted the remote data servers for Capital One, its enterprise customers generally control the applications they build on top of the AWS cloud, customizing them as needed for their unique use cases. It seems that Thompson’s former experience with AWS might have played a role in her success at hacking into the Capital One database.
It was likely not the best day for Amazon’s AWS division, as instances like this give everyone pause about the security of the cloud services providers they rely on to keep their data safe. Amazon reported no compromise to its underlying cloud services and Capital One assures the public they have fixed the vulnerability.
Financial Services are a Prime Target for Hackers
Unfortunately, the Capital One breach doesn’t come as a surprise. Financial Services organizations remain the number one target for hackers. According to IBM’s 2019 X-Force Threat Intelligence Index Report, the finance and insurance sector has been the most-attacked industry for three years in a row, with 19 percent of total attacks and incidents in 2018. The allure here is clear: Personally Identifiable Information (PII) that can be easily obtained and either immediately used for profit or sold on the dark web.
Note that while the financial services and insurance industries are high on cyber criminals’ list of targets (with a whopping 19% of all reported total attacks in 2018) other targets include Transportation Services (13% of total attacks), Professional Services (12%), Retail (11%), Manufacturing (10%), Media (8%), Government (8%), Healthcare (6%), Education (6%), and Energy (6%).
Cybersecurity — Put it at the Top of Your To-Do List
There’s a reason that every major tech brand is focused on cybersecurity: Dell, IBM, Cisco, Microsoft SAP, and others understand fully that business can’t be business as usual if customers are vulnerable to hacks and offer a myriad of security solutions. They are also well aware that security threat awareness, budget allocations, internal staffing, and often a not-yet-fully-developed security first culture that emanates from senior leadership down impacts an organization’s ability to prepare for and defend against cyberattacks.
As I said when I started, another day, another security breach. It’s unfortunate, but that’s the state of affairs as it relates to cybersecurity today. Today, it’s the Capital One breach holding the record for the largest breach of a financial services institution, tomorrow, who will it be?
Futurum Research provides industry research and analysis. These columns are for educational purposes only and should not be considered in any way investment advice.