Capital One breach shines spotlight on insider threats
Earlier this week, Capital One became the latest financial institution to fall victim to a data breach as it was discovered that a hacker illicitly gained access to data on 100 million customers. The data reportedly consisted of consumer and small business credit card applications filed between 2005 and 2019 and included applicants’ names, addresses, phone numbers, dates of birth, and other sensitive information. About 140,000 Social Security numbers and 80,000 bank account numbers were also accessed, although the bank said no credit card numbers or log-in credentials were compromised.
A former Amazon Web Services (AWS) employee, identified as Paige A. Thompson, is facing charges in connection with the theft. Thompson allegedly broke into the bank’s server, which it was renting AWS, and stole the data between March and July of this year. Authorities say Thompson was able to a gain access to the data via a misconfigured firewall protecting one of the bank’s applications.
On a positive note, Capital One said in a statement that that it is their practice to tokenize select fields of data, such as Social Security numbers and account numbers, and that they don’t believe the information obtained has been used for fraud or disseminated.
However, cybersecurity experts believe the incident will have significant implications moving forward and should serve as a reminder that all organizations, from small, family-run businesses to global enterprises, are vulnerable to cyber-attacks.
“(Capital One) has an outstanding security team and the highest standards and methodologies in cybersecurity, particularly in the cloud. Therefore, this breach illustrates how every company is vulnerable – it could be a large, small, critical or low risk supplier,” says Giora Omer, Head of Security Architecture at Panorays. “Companies working with suppliers need to make sure of the security standards put in place at the consumer, the type of data that they are sharing with that supplier and how to mitigate risk in case the supplier is breached. Hopefully for Capital One, the different controls put in place, including bounty programs and tokenizing sensitive data, will prevent this breach from becoming ‘Equifax 2.’”
The Capital One breach is also stark reminder of the damage that malicious insiders can inflict upon organizations. For all of the headline-grabbing attacks perpetrated by nation-state actors and cyber crooks who leverage ransomware to extort money from government and private entities, insiders with intimate knowledge of a company’s inner workings have historically posed much greater risks.
“The Capital One breach is a classic example of the ‘insider threat’ which has been present since the first merchant hung a shingle and sold goods and is certainly not limited to the digital age,” says Michael Magrath, Director, Global Regulations & Standards at OneSpan.
According to Laurence Pitt, Global Security Strategy Director at Juniper Networks, breaches carried out by insiders like this also demonstrates why organizations need a solution in place to revoke access rights for employees and contractors.
“This is a real wow – and very worrying. Malicious insiders are a huge risk to any organization, someone who is unhappy can be subverted for either money or simply to cause damage and disrupt business systems,” Pitt says. “The bottom line is that anyone can become malicious if they are unhappy, and any organization which grants high-levels of access rights to their systems also needs a process which can simply and quickly revoke said rights.”
Michael Clauser, Global Head of Data & Trust at Access Partnership, says that insider threat programs are proliferating within businesses today because of high-profile breaches like this.
“Organizations as diverse as banks, microchip companies, and military services recognize the insider threat. Insider threats, along with nation state-resourced attacks, are the most dangerous and unpredictable threat vector. Too often, the latter employs the former. Think: Edward Snowden, Bradley Manning, Harold T. Martin, and Reality Winner—all insider threats,” he says.
Lingering Impacts
While experts widely praised the bank’s use of tokenization to protect sensitive data, they were also quick to point out that much of the other information compromised could be easily used by hackers through various schemes to prey on consumers and businesses well into the future.
“Capital One victims are going to be phished for years to come – long after the cliched 12 month’s credit monitoring is done. So they and their employers should learn how to spot a phishing attack,” says phishing expert Colin Bastable, who serves as the CEO of Lucy Security. “The Dark Web probably knows more about most people in North America than their governments will publicly admit to. Employers need to protect themselves by ensuring that their employees are security aware.”
Paul Bischoff, Privacy Advocate with Comparitech, echoes Bastable’s sentiments and warns that people should be on the lookout for a wide range of scams heading their way.
“Much of the data that wasn't tokenized – names, addresses, dates of birth, etc. – can still be used against them. In particular, be on the lookout for phishing campaigns in the months ahead,” Bischoff adds. “Victims will likely receive targeted emails from scammers posing as Capital One or a related company. These emails might address the recipient by name and include other personal information, which makes the message much more convincing. Remember to never click on links or attachments in unsolicited emails, always check the domain of the sender's email, and never send sensitive information over email. You can always call Capital One's official phone number or online support to ask whether an email is legitimate. Scam calls could come over the phone as well. If you're not sure whether someone on the phone is legitimate, hang up and call the official number. Scammers often try to instill a sense of urgency in victims, so if you feel rushed to take some action, stop for a moment to think things through. “
Lessons Learned
Despite the fact that the breach occurred via a third-party provider and not within Capital One’s internal network, Magrath says that companies cannot expect to be shielded from culpability for these types of incidents in the future as evidenced by new cybersecurity rules that recently went into effect in New York.
“The third-party provider threat is a concern for CISO’s and regulators alike, which is why the New York Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500) include specific requirements regarding third-party service providers. Under the regulation, banks and financial services providers must secure their own systems as well as implement third-party risk management programs,” Magrath explains. “Coincidentally the regulation’s applicability for third-party service providers just went into effect in March of this year,” Magrath explains.
“According to the regulation, section 500.11, ‘The organization must document written procedures and policies to ensure third-party risk management programs protect information systems and non-public information,’ Magrath continues. “Additionally, policies and procedures pertaining to third-party service providers are required to include relevant guidelines for due diligence as well as contractual protections, addressing: Access controls, including multi-factor authentication; Encryption; Notifications to be provided to the primary organization in response to a cybersecurity event; Representations and warranties for a third party’s cybersecurity policies and procedures.”
Leigh-Anne Galloway, Cybersecurity Resilience Lead at Positive Technologies, says that the breach should also be a wake-up call for organizations that are sleeping on implementing stronger security protocols in the cloud. “Cloud storage is an increasingly attractive option for large corporations because it is cheaper than on premise, but attacks like this show that organizations aren’t adopting security with the same vigor - and they should, otherwise the financial cost of penalties and lawsuits will vastly outweigh any IT savings,” she says.
Bob Noel, VP of Strategic Relationships for Plixer, adds that the breach also further reinforces why many companies remain reluctant to migrate sensitive data to the cloud.
“Enterprise organizations must weigh the benefits versus the risks of placing sensitive data into the cloud,” he says. “Configuration mishaps can happen on premise as well as in the cloud, however, if enterprises have better visibility into the network traffic while on premise (as opposed to the visibility they have into cloud network traffic), then they can perceive the risks in the cloud to be higher. Cloud providers are working to improve the visibility they can provide, but enterprises should also look to establish security technology stacks within their cloud instances to improve their visibility and reduce the risks posed by misconfigurations.”
About the Author:
Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].