Expert Commentary on the Capital One Data Breach

Today, the cybersecurity world became rocked once again in the wake of a new devastating data breach. This time, it was Capital One—major bank and credit card financial services provider. According to authorities’ allegations, a disgruntled third-party employee used her access to compromised 100 million credit card applications. 

Additionally, this employee allegedly managed to compromise thousands of Social Security Numbers and bank account numbers. Moreover, she allegedly dwelt on the network for well over a decade before Capital One discovered the breach. 

This breach raises new questions about cybersecurity and identity, access, the digital perimeter, and the dangers of insider threats. We could go into detail on all of these subjects and how they relate to endpoint security. However, we decided to call in the experts from both endpoint security and identity management to hear their perspectives. 

Let’s dive in! 

Expert Commentary on the Capital One Data Breach 

Tom Kellermann, Chief Cybersecurity Officer, Carbon Black: 

This breach highlights a few important realities for cybersecurity in 2019. First, perimeter-based security measures will not prevent 100% of attacks, 100% of the time. Without visibility into what’s occurring on an enterprise, a business may be completely blind to attacks like this, especially when you consider that Paige Thompson once worked at Amazon as an engineer for the same server business that supported Capital One. Modern threats come can come from all domains, including former employees, partners or contractors. A business needs to consider all the potential risks and work to gain visibility across the business into where potential weaknesses exist. 

Second, it’s absolutely imperative for businesses to secure their cloud infrastructures and the critical data they hold. Capital One is one of the most “cloud-forward” financial companies in the world; they should be partnering with solution providers who are intimately aware of how to keep the cloud secure.

What should not be lost in this is that Capital One is one of the globe’s most recognizable and ubiquitous financial brands that houses critical financial and personal information. As Carbon Black’s research has found, financial institutions are increasingly being targeted by advanced attacks that leverage “island hopping,” lateral movement, counter incident response and fileless attacks. The modern bank heist is now in cyberspace. 

Capital One customers who are concerned about this breach should keep a close eye on their statements and report any suspicious activity immediately. Customers should also consider signing up for security alerts from Capital One; they should be extra vigilant over the coming months for possible phishing emails.

Giora Omer, Head of Security Architecture, Panorays: 

An interesting aspect to consider in this breach is that Capital One also serves as a supplier for businesses. It has an outstanding security team and the highest standards and methodologies in cybersecurity, particularly in the cloud. 

Therefore, this breach illustrates how every company is vulnerable – it could be a large, small, critical or low-risk supplier. Companies working with suppliers need to make sure of the security standards put in place at the consumer, the type of data that they are sharing with that supplier and how to mitigate risk in case the supplier is breached. Hopefully for Capital One, the different controls put in place, including bounty programs and tokenizing sensitive data, will prevent this breach from becoming “Equifax 2.”

Felix Rosbach, Product Manager, comforte AG:

The risk of a breach is higher than ever before for financial institutions. Those breaches create a lot of stress on both the issuer’s side and on consumers; fraud is easy to commit with stolen account information. Classic defense like firewalls only protect you from known attack methods and often fail when it comes to insider threats.

It’s crucial to protect sensitive data over the entire data lifecycle. A lot of organizations use classic encryption to do that. While Capital One stated that they are encrypting their data as a standard, “particular circumstances” enabled the decrypting of data. Due to complex key management and the fact that keys can be shared or exposed, classic encryption can fail.

Fortunately, Capital One used tokenization to protect social security numbers and account numbers. As this is a different approach to data security – ideally not involving the distribution of keys – the tokenized data remained protected. However, recent tokenization technology could have been used to protect not only social security numbers and account numbers but also personal information, customer status data, and transaction data.

Implementing data-centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary, is the only way forward. Acquirers, merchants, and issuers should only use tokens instead of clear-text data to process payments and store sensitive data. If hackers get access to these tokens, the data is useless. This also reduces stress on both sides, for businesses and consumers.

Colin Bastable, CEO, Lucy Security: 

At last, tokenization is deployed, doing what it is supposed to do. Good job, Capital One, more please!

But, what’s in your inbox? Capital One victims are going to be phished for years to come – long after the cliched 12 month’s credit monitoring is done. So they and their employers should learn how to spot a phishing attack. The Dark Web probably knows more about most people in North America than their governments will publicly admit to. Employers need to protect themselves by ensuring that their employees are security-aware.

Hackers are more motivated to attack than defenders are to defend — playing defense is a continuous and often thankless task, but breaching defenses is an intellectual, tactical and strategic victory. 

Laurence Pitt, Global Security Strategy Director, Juniper Networks: 

This is a real wow – and very worrying. Malicious insiders are a huge risk to any organization. Someone who is unhappy can be subverted for either money or simply to cause damage and disrupt business systems. The alleged hacker had previously worked for Amazon, and accessed Capital One servers rented from AWS. This would seem to indicate that she either knew of a weakness in AWS and took advantage (unlikely) or retained access to AWS cloud in a way that allowed her to gain access to the Capital One systems. This latter would still be a complex hack though as I’m sure that C1 would be using multiple factors to authenticate including tokens or SMS messaging codes.

The bottom line is that anyone can become malicious if they are unhappy; any organization which grants high-levels of access rights to their systems also needs a process which can simply and quickly revoke said rights. We often hear about zero-day start processes which ensure that a new-starter has a laptop, phone, email, and ability to work as soon as they join. How about ensuring that they also have zero-day stop too? Meaning that all systems access can be audited and revoked fast when someone either leaves, or is removed, from their employment.

Thank you to our endpoint security and identity management experts for their time and expertise! To learn more about protecting your data, you should check out our 2019 Endpoint Security Buyer’s Guide! We cover the top solution providers in the field and their key capabilities!