CAPITAL OFFENSE
Experts: Firm could have prevented breach, issued clearer response
The Capital One data breach that compromised the personal information of more than 100 million people may have been preventable had the credit card issuer taken more care in configuring the firewall used to protect the system from intrusions, cybersecurity experts said.
The breach potentially revealed the names, addresses, ZIP codes, phone numbers, email addresses, dates of birth and self-reported income of about 100 million people in the United States and 6 million in Canada, Capital One said. A smaller portion of customers had their Social Security and bank account numbers compromised, the company said.
The company says it is unlikely that the information was used for fraud or disseminated by the suspect, but authorities are still investigating that possibility. Paige Thompson, the suspect in the data breach, was arrested by the FBI on Monday.
Was it preventable?
Thompson was allegedly able to break into data stored in the cloud, or remote servers maintained by a third party, because the firewall was not configured properly to the specifications of the server, according to the complaint against Thompson. That enabled the suspect to access folders of data in Capital One’s storage space.
Cybersecurity experts said that the mistake is likely attributable to the Capital One information technology employees responsible for installing the firewall to protect access to the company’s data in the cloud. This type of attack could have been prevented by proper diligence and “penetration testing,” which tests the strength of the firewall, according to the Internet Society, a nonprofit internet policy organization.
Various security software systems also can provide IT departments with alerts about mistakes such as this, the experts said.
Jeff Wilbur, director of the Online Trust Alliance Initiative of the Internet Society, said data breaches on cloud storage are occurring more often, primarily because more companies are using the cloud. Companies are still responsible for their own security — even on the cloud — and most large companies regularly schedule testing to check for any gaps in security, he said, which should catch this sort of weakness in the firewall.
“It’s not like these attacks have become super sophisticated,” Wilbur said. “I would say this was preventable.”
Other experts agreed that Capital One likely had a lapse in a basic security measure.
“If it was a misconfiguration on a server, then that is a human error,” said Eva Velasquez, CEO of the Identity Theft Center, a nonprofit organization that provides identity theft assistance.
Capital One could not be reached for additional comment. Amazon Web Services, the cloud storage provider, said its security was not compromised.
“The perpetrator gained access through a misconfiguration of the web application and not the underlying cloud-based infrastructure,” an Amazon spokesperson said in a statement.
Data breaches are not uncommon, but they rarely affect this many people. In 2017, hackers stole personal data on more than 147 million people in a breach at the credit-reporting company Equifax. In 2013, about 40 million customers’ credit and debit card information was stolen through a Target security breach. Target paid $18.5 million to settle the case with state attorneys general.
Last year, 10 financial institutions experienced a data breach in Texas, exposing more than 77,000 records, according to the Identity Theft Center.
Gov. Greg Abbott recently signed HB 4390, which requires companies to notify affected individuals of a data privacy breach within 60 days. Companies also must notify the Texas attorney general if more than 250 Texas residents are affected. The changes to Texas’ data security law, however, will not take effect until 2020. Currently, Texas law requires businesses to disclose the breach “as quickly as possible.”
The Texas Office of the Attorney General could not provide an estimate of how many accounts in Texas may have been compromised by the Capital One breach. The office is currently determining how Texans’ information may have been impacted and what steps the Texas attorney general should take, according to a statement by spokesperson Marc Rylander.
Confused customers
Experts say communication from Capital One to its affected customers has not been very transparent since the breach. In the fact sheet posted on its website, the company writes that “no credit card account numbers or log-in credentials were compromised.” But three paragraphs down, Capital One explains that 80,000 linked bank account numbers of secured credit card customers were compromised.
Similarly, the company wrote that no Social Security numbers were compromised “other than” about 140,000 Social Security numbers.
“We really encourage organizations to be as transparent and clear in messaging as they can (after a breach), and this falls short of that,” Velasquez said.
Several customers commented online that it took too long for Capital One to make a statement about the breach considering that the company became aware of the attack July 17, when a whistleblower contacted the company after seeing the hacker post about the attack online.
Amy Timberlake of Denison, a Capital One customer for three years, described frustration with the lack of communication by the company.
“If my account is compromised, that should be shared with me before anyone else,” Timberlake said. “The fact that I learned about it from the news rather than my company is frustrating.”
Timberlake said whether she switches to a different credit card company due to the breach will depend on how Capital One rectifies the situation.
“They need to offer some form of compensation because they were trusted with people’s private information and they were not responsible with it,” she said. “Unfortunately, things like this are becoming commonplace. It depends on how they resolve it and make it right.”
The company said it will make free credit monitoring and identity protection available to those affected. Capital One expects the incident to cost the company between $100 million and $150 million to pay legal fees, notify customers and provide credit monitoring.
In the Capital One press release, the company said it would notify affected individuals through “a variety of channels,” but it did not say within what time frame. “Safeguarding our customers’ information is essential to our mission and our role as a financial institution,” Capital One said. “We have invested heavily in cybersecurity and will continue to do so.”
Capital One’s stock fell about 6 percent to $91.21 Tuesday.
What to do
Monitor your account: Customers should diligently monitor their accounts, experts said. While security measures would flag an unusual expense, if a hacker obtained access to an account and made purchases that imitated the customer’s purchasing habit, that would not be caught.
Freeze your credit: Customers may also consider freezing their credit, which may be inconvenient if you are trying to open a new account, but is the most secure way to ensure no one opens a new account in your name. You can freeze your credit by contacting one of the credit bureaus, Equifax, Experian or TransUnion.
• Equifax: 1-800-349-9960
• Experian: 1-888-397-3742
• TransUnion: 1-888-909-8872
Be wary of scams: Customers should also be careful of phishing messages in their email that appear to be from Capital One, but are not. Wilbur of the Internet Society said that other hackers are likely to prey on people who are worried about their accounts, pretending to be the company and asking for personal information. A legitimate call or email from Capital One would not ask for personal information, experts said.
Change your passwords: Customers should change their passwords for accounts that may have been compromised, such as their email and their bank accounts, said Sheryl Falk, co-leader of Winston & Strawn’s Global Privacy and Data Security practice.
Document your steps: Customers should document the steps they take in managing the data breach in case Capital One asks for proof they were adversely affected by the attack, said Velasquez of the Identity Theft Center. Record the time you spend managing your account following the breach and who you contact for help.