Capital One Fallout Continues; One Million Fingerprints Exposed in New Breach

Hackers continue to rock the financial world as seen in Capital One 100 million record breach fallout and a biometric exposure exposing almost 28 million records and a million fingerprints.

San Diego, Calif.-based Identity Theft Resource Center reported the Capital One breach added the yearly totals for Banking/Credit/Financial category now at 56 breaches, affecting 100,382,256 records or 69.2% of the 2019 total records. Total for all categories (counting only reported records) through July 2019: 907 breaches, 145,113,911 records

“The data breach was attributed to unauthorized access by an outside individual. Small businesses and individuals who applied for a credit card with Capital One had their names, addresses, dates of birth, email addresses, credit scores, credit limits, payment history and balances exposed,” the ITRC reported. Additionally, the hacker exposed roughly 80,000 linked bank accounts and 140,000 Social Security numbers.

At the end of July House Small Business Committee Chairwoman Nydia M. Velázquez (D-N.Y.) wrote to Capital One CEO Richard Fairbank, requesting information on how the company’s recent data breach will affect small business owners and what efforts the company is taking to mitigate the hack’s impact on small firms. “This breach is alarming because of its potential impact on small business owners in a variety of industries across the country,” Chairwoman Velázquez wrote.

On August 13 in federal court in Seattle, the Justice Department asserted Paige Thompson, a former Amazon employee, as the suspect in the information theft from Capital One. “The major cyber intrusions resulted in the theft of massive amounts of data from what now appears to be more than 30 victim companies.”

Anu Yamunan, vice president, product management and research, Exabeam, said, “It’s no surprise that a massive bank holding company like Capital One has been targeted by a malicious adversary.” Yamunan noted the ITRC reports the targeting of financial services firms with security incidents 300 times more often than other industries. Yamunan pointed out this combination of information could allow someone to open a line of credit, collect medical benefits, pursue employment in the victim’s name or even steal their entire identity.

Then in August, security researchers Noam Rotem and Ran Locar of vpnMentor discovered the Suprema Biostar 2 biometric database holding more than a million fingerprints exposed in an openly accessible database that also contained 27.8 million records featuring facial images, unencrypted user names, passwords, employee records and logs of entry to secure areas, among other sensitive information. Suprema’s BioStar, a lock using fingerprints and facial recognition software, provides access to secure facilities.

Additionally, the researchers could view administrator passwords, replace users’ fingerprints, and observe biometric data usage. The researchers said that they contacted Suprema, which has many customers in the financial and government sector, about the vulnerability two days after was the discovery in early August.

Cybersecurity experts commented:

Willy Leichter, vice president of marketing, Virsec, said “Unfortunately, leaking of biometric source information is the inevitable next step in a long line of security blunders. With any authentication method, from passwords to advanced biometrics, security is only as strong as its weakest link. With all the hype around biometrics and AI, we tend to overlook the basics – we are entrusting increasingly unchangeable personal data to a network of third parties with little oversight, and few enforceable standards over how priceless personal data is handled.”

Vinay Sridhara, chief technology officer of Balbix, noted, “The information exposed could allow a malicious group to conduct a sophisticated social engineering attack with real-world implications, including allowing unauthorized users to access high-security areas that require biometric signatures for access.”  Sridhara added, the South Korean-based biometrics, security and identity solutions provider could face fines under GDPR and litigations from citizens in other countries, including the U.S.

“The Suprema incident is the first reported biometric database breach and is yet another example of a company that exposed highly sensitive consumer data due to a simple security mistake. Leaving a database publicly accessible is unacceptable – especially given the extremely sensitive data with which Suprema is entrusted,” Anurag Kahol, chief technology officer, Bitglass, said.

Kevin Gosschalk, CEO, Arkose Labs, stated, “This breach not only exposes individuals to fraud but also makes them indefinitely vulnerable to future attacks, as biometrics, unlike passwords or credit card numbers, cannot be changed.” He also maintained, it is unclear how immediately cybercriminals will be able to weaponize this information to the detriment of 28 million victims impacted and 5,700 organizations currently using Suprema’s biometric identity technology.

“Suprema has potentially made its customers vulnerable to account hijacking and brute force, credential stuffing attacks against more sensitive profiles on financial, healthcare and government-related portals. In fact, State Farm just acknowledged that it had been hit by a credential stuffing attack in July, proving that no company is safe,” Chris DeRamus, co-founder and chief technology officer of DivvyCloud.

Robert Prigge, President of Jumio, said, “This data breach comes at a critical moment, as a growing number of consumers are comfortable using biometric technology on a daily basis to unlock their phone or authorize a digital payment. Storing sensitive biometric data without encryption, such as the actual fingerprint and facial recognition information compromised with this breach, is gross negligence.”

“Biometric data is held as a gold standard to authenticate users and validate they are who they say they are,” Ben Goodman, SVP, global business and corporate development of ForgeRock, said. Goodman added cybercriminals could change existing data in the database. “As well as add new users, which could allow for malicious actors to conduct sophisticated social engineering attacks. This could include: government agencies, banks or other users of the Biostar 2 system.”

Tim Erlin, vice president, product management and strategy at Tripwire, said, “As an industry, we’ve learned a lot of lessons about how to securely store authentication data over the years. In many cases, we are still learning and re-learning those lessons. Unfortunately, companies cannot send out a reset email for fingerprints. The benefit and disadvantage of biometric data is that it cannot be changed.”