Hackers are an endless fight for big banks
Capital One case one of 3,494 reported cyberattacks this year
Large financial companies have to thwart hundreds of thousands of cyberattacks every single day. Data thieves have to get lucky only once.
Big banks like Capital One, the victim of a recent attack that captured the personal information of more than 100 million people, are a target for digital troublemakers, like individual hackers trying to impress their peers or intelligence operatives for foreign governments.
A single weak spot is all savvy hackers need. And they often find them. Already this year, there have been 3,494 successful cyberattacks against financial institutions, according to reports filed with the U.S. Treasury Department’s Financial Crimes Enforcement Network.
Federal law enforcement officials said Monday that Paige Thompson, a software engineer in Seattle who used to work for Amazon, got into Capital One’s computer network through what the bank described as a “configuration vulnerability” in its security software. It was akin to leaving a window open overnight at the local bank.
Once inside, she was able to download an array of personal material from customers, including credit card applications and social insurance numbers, according to court documents.
Security experts are likely to home in on the apparently simple mistake made by software developers at Capital One, said Jack Jones, the chairman of the FAIR Institute, a cybersecurity trade group. But simple mistakes are common when it comes to online security.
The Capital One episode is a reminder of the intricacy of the computer networks at large financial institutions, as well as their vulnerability. Over the past several years, companies including Equifax and Morgan Stanley have been attacked with various hacking methods.
In some cases, the hackers have taken advantage of weak passwords or sent fake emails loaded with malicious computer code that helped them get inside the network. In others, they have scanned for software that hasn’t been kept up-todate with the latest security fixes. Some hacks took hours. Others took months.
“The very best hackers in the world are hacking these banks, and it’s a full-fledged arms race,” said Tom Kellermann, the chief cybersecurity officer at Carbon Black, a security software maker.
Cybersecurity “may very well be the biggest threat to the U.S. financial system,” Jamie Dimon, JPMorgan’s chief executive, said in an April letter to shareholders. His company was the victim of a major data breach in 2014 after hackers exploited an employee password to steal data on 76 million households.
The average cost of a security breach in the United States has escalated in recent years to $8.2 million (U.S.), according to a study by IBM Security and the Ponemon Institute. The cost for companies of Capital One’s size can climb much higher, particularly with class-action lawsuits and fines.
Cybersecurity experts wondered why the company’s security defences did not pick up Thompson’s intrusion. Most financial institutions use technology that can detect unusual patterns of behaviour indicating that a user could be trying to rob the bank.
Capital One learned about the attack from an outsider about three months after it happened. On July 17, the company got an email that tipped it off to leaked data posted on the coding platform GitHub.
“Let me know if you want help tracking them down,” the person who raised the alarm wrote in the email to the bank.