What Could Capital One’s Data Breach Mean for FIs?

Capital One Financial Corp said Monday a hacker obtained personal information, including names and addresses, of approximately 100 million individuals in the U.S. and 6 million people in Canada.

Apparently, the break-in did not compromise credit card account numbers or log-in credentials of over 99% of Social Security numbers, according to Capital One.

“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income,” read a statement posted on the Capital One web site.

Capital One’s statement also specified no compromise of bank account numbers or Social Security, “other than about 140,000 Social Security numbers of credit card customers; and approximately 80,000 linked bank account numbers of its secured credit card customers.” In addition, the incident compromised roughly 1 million Social Insurance numbers of Canadian credit card customers.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Richard D. Fairbank, chairman and CEO, Capital One, said in a company statement. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Capital One said it immediately fixed the configuration vulnerability this individual exploited and promptly began working with federal law enforcement and the FBI has arrested the person responsible. Based on its analysis to date, the financial institution does not believe this individual information fraud used or disseminated the hacked data.

The arrested suspect, Paige Thompson, is a former Seattle tech company software engineer. According to a complaint filed in the District Court for the Western District of Washington at Seattle, Thompson posted the hacked data, obtained between March 12 and July 17, 2019, on the software development platform GitHub. a subsidiary of Microsoft. Another user observed the listing and informed Capital One of the breach.

Capital One said beyond the credit card application data, the individual also obtained portions of credit card customer information, including:

• Customer status data (e.g., credit scores, credit limits, balances, payment history, contact information).
• Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.

A number of cybersecurity professionals weighed in on this latest massive breach.

“The risk of a breach is higher than ever before for financial institutions,” Felix Rosbach, product manager at comforte AG, warned. “Those breaches create a lot of stress on both the issuer’s side and on consumers as fraud is easy to commit with stolen account information.”

Rosbach suggested it is crucial to protect sensitive data over the entire data lifecycle. “Fortunately, Capital One used tokenization to protect Social Security numbers and account numbers. As this is a different approach to data security – ideally not involving the distribution of keys – the tokenized data remained protected.” Rosbach added, however, recent tokenization technology could have protected not only Social Security numbers and account numbers but also personal information, customer status data and transaction data. “Acquirers, merchants and issuers should only use tokens instead of clear text data to process payments and store sensitive data.”

Phishing expert Colin Bastable, Lucy Security CEO, also reacted. “At last, tokenization is deployed, doing what it is supposed to do. Good job, Capital One, more please!” Bastable cautioned Capital One victims still face phishing attacks for years to come, long after the usually 12 month’s credit monitoring period provided. “The dark web probably knows more about most people in North America than their governments will publicly admit to. Employers need to protect themselves by ensuring that their employees are security aware.”

Jack Kudale, founder and CEO of Cowbell Cyber, said, “The latest known breach at Capital One highlights the importance of addressing the gap in insurability.” Kudale indicated the incident would attract attention to the information storage location, Amazon’s S3 bucket public cloud storage resource. “As the enterprise risk managers around the world now focus on response and recovery, the shift from traditional prevention and detection budgets will quickly shift to insurance.”

“It’s still early, and I think this one is going to develop out a bit more. However, I would not put it at the same level as the Equifax breach,” Chris Morales, head of security analytics at Vectra, noted. “What was exploited was a website vulnerability that gave access to credit card applications, including 140,000 Social Security numbers and 80,000 linked bank account numbers.” He added, it will need to play out in the next day or so. “I’m curious if the data was ever released to the public.”

Terence Jackson, chief information security officer at Thycotic, held, “While details are still unfolding, I think I have more questions than answers at the present time. What system did the perpetrator have access to? How was access monitored? Did she have admin access? How was she able to exfiltrate so many records without triggering any alerts? This is yet another example of why castle and moat security are not effective anymore. The threats are already inside.”

Dr. Richard Gold, head of security engineering at Digital Shadows, said, “Right now over 100 million people in North America are nervously waiting to see if they have been impacted. The breach is particularly significant for the 140,000 that have had their Social Security number compromised.” Gold explained This has serious implications for U.S. citizens since this number applying for a number of financial products and used for Government services. He advised any potential victims to not to wait for Capital One notification but to immediately change passwords across any accounts using the same log in details as Capital One.