Capital One is modernizing its technology stack with in-house development and adopting a public cloud-oriented strategy on Amazon Web Services, an outlier in the risk-averse financial services sector.
But even with cybersecurity measures in place, Capital One was breached.
The company's breach disclosure came 10 days after the intrusion's discovery. A suspect is already in custody and Amazon Web Services is distancing itself from the bank's flawed web configuration.
Capital One is the latest company to suffer an unauthorized access to its systems. About 106 million customers were affected by the intrusion, which exposed personal information including credit scores and payment history.
"No one steals that much data just for bravado," Avivah Litan, distinguished VP analyst at Gartner, told CIO Dive. It's possible, Litan said, the information was already sold, increasing the chances of identity fraud for affected customers.
Here are five things to know about Capital One's data breach and what led law enforcement to Paige Thompson. As more details become known, further security and privacy scrutiny is expected.
1. Who hacked Capital One?
The Department of Justice accused Thompson, who uses "erratic" as her online handle, of illegally accessing a computer holding financial records of Capital One customers, according to an indictment.
She is a former AWS employee, The New York Times reported. Thompson "allegedly used web application firewall credentials to obtain privilege escalation," Scott Albahary, chief strategist of financial services at Perficient, told CIO Dive in an email. The bank had a configuration flaw that she was able to abuse.
The DOJ said Thompson posted on GitHub about taking Capital One's data from servers "very close in time to the intrusions."
On June 27, Thompson claimed a directory in her possession held data "associated with Capital One" and posted about other private and public entities, according to the DOJ. Law enforcement believes these public confessions could reference other illegal intrusions.
Around the same time, she posted in a Slack channel, "I wanna get it off my server that's why I'm archiving all of it lol," according to a screenshot provided by Capital One.
The day after a user submitted a tip to Capital One about Thompson's GitHub post, she said on Twitter, "I've basically strapped myself with a bomb vest ... I wanna distribute those buckets first I think."
2. The cloud security nothingburger
Capital One found the GitHub file, dated April 21, and detailed the IP address for a particular server.
"A firewall misconfiguration permitted commands to reach and be executed by that server," enabling access to data folders or buckets on AWS, according to the DOJ.
Critics blaming Amazon for the breach are misinformed, according to Litan. The infiltrator got in through the Web Application Firewall (WAF), and it was likely sitting on a Capital One server.
AWS has security services, but enterprises have their own access management and manage access security brokers that bridge on-premise access to the cloud.
This was "not good timing for AWS," but it doesn't deserve the criticism, Litan said.
Most of the security companies put around the cloud is within their control.
Capital One "has plenty of security controls," including its in-house developed Cloud Custodian, according to Litan. Because the bank wrote the open source tool, it put a lot of money in identifying configuring and permissions management issues.
3. What's at stake
The breached data was copied from the folders or buckets and contained credit card application information. Some of the information, like Social Security numbers, were encrypted.
But unencrypted information includes names, addresses and bank account numbers.
Names and email addresses carry less weight than other personal data. "The more specific you get, the more opportunity it has for abuse," Jeff Wilbur, director of the Online Trust Alliance Initiative at the Internet Society, told CIO Dive.
Specific bank account numbers could allow hackers to initiate automatic clearing house transfers. Social Security numbers can be used to apply for credit cards, loans or tax refunds, Wilbur said. Any personal data leak can contribute to the creation of more personalized phishing schemes.
The "potential impact to an individual is unconstrained" when other details accompany banking information, Albahary said.
4. Breaches in financial services
The banking industry boasts some of the largest IT budgets in enterprise. JPMorgan spent nearly $11 billion on technology in 2018, followed by Bank of America at $10 billion and Citigroup's approximately $8 billion tech spend.
Even with deep pockets, bank cybersecurity can have flaws.
In 2005, CitiFinancial, a Citigroup subsidiary, experienced a physical data breach. The company said UPS lost "tapes" while in transit, containing names, Social Security numbers, account history and loan information.
At the time, the lost information was the largest reported breach of customer data, but now hackers are savvier.
In 2014, JPMorgan Chase experienced a data breach, which affected 76 million households and 7 million small businesses. While basic personal data, such as names and phone numbers were compromised, other information, like account numbers and Social Security numbers, was left untouched.
Capital One suffered a previous data breach — less severe than the one announced this week — in 2017. That breach, carried out between January and April 2017 was an "inside job," according to the notification letter.
"Security is not a science, it's an art," Litan said. It sometimes defies even best practices.
It's possible Capital One lacked certain security protocols, such as layered protection, encryption, or weak password security.
However, "we can't expect Capital One to fight these threats," she said. Cyber criminals' sophistication demands a better cybersecurity alliance between the public and private sector.
5. Privacy implications
As data privacy regulation gains momentum in the U.S., scrutiny and recovery costs are expected.
Capital One expects the breach to cost between $100 million and $150 million in 2019. However, the company has a cyber risk insurance policy, subject to a $10 million deductible and total coverage limit of $400 million, according to Capital One's breach announcement.
With the Federal Trade Commission handing out two record fines last week, it's unclear how much of a potential data privacy penalty can be covered by insurance.
"Negligence, while not an excuse or defense, must be viewed against a different scale" than intentional misuses of consumer data, Albahary said. But the type of data exposed plays a role in how fines are levied.
If law enforcement is able to conclude with certainty that Thompson leveraged her experience at AWS to gain access, it would suggest "Capital One's security policies and procedures were severely lacking, as access codes need to be secured, available only on a need-to-know basis, and changed frequently," Albahary said.