Capitol One Data Breach

Data Breach

The latest Data Breach is here

Yep, Another Capitol One bites the dust in the most recent of the financial Data Breach. This one is massive. It is estimated that over 100 million Americans and six million Canadian individuals are affected. These data breaches seem to be getting more and more common.

The FBI

has apparently charged a woman with computer fraud and abuse. She is a former employee of AWS. Her resume’ states she was a systems engineer at a cloud computing company. Amazon spokesperson did not reply to a request for comment. It is reported that a misconfigured #Cloud firewall is the attack vector. Sounds kind of fishy to me.

The bulk of the exposed data involves information including addresses, dates of birth and self-reported income. Wall Street Journal

Other information compromised in data breach

The data breach is believed to include credit scores, payment histories and credit limits. Those affected are said to be individuals and businesses that applied for Capitol One credit cards between 2005 and 2019.

Capitol One

Chairman and chief executive, Richard D. Fairbank, expressed his “deep sorrow” for the data breach incident and his commitment to making it right. While this sounds good I am highly skeptical about his concern. I doubt it is more than lip service to quell the ire of those affected and the general public. Sounds like the typical ‘çover your ass’ strategy to me.

The reason I say this is because only 38% of C-suite members said they would work with the security team to solve a security issue. from my article on July 2 2019. You may also want to read Top 5 Excuses For Not Having a Cyber Security Program article I wrote on May 17, 2019. While the article focuses on companies with a smaller budget I wonder how many of the excuses will come into play here.

I understand that one of the CEO’s main responsibility is to ensure profitability of the company. Does that mean protecting the PII of customers from a data breach is secondary at best? I am only speculating here but something just isn’t sitting well with me. If we really dig into the underlying causes of these breaches what will we find? Will we discover security costs were minimized to allow for increased profit margins?

Will Fairbank actually take responsibility? I highly doubt it. I figure he will be allowed to retire with a healthy ‘Golden Parachute’ plan and fade into obscurity. While he may not be directly responsible, it happened on his watch.

What about the safeguards to prevent  a data breach

Safeguards we are taught about in every Cyber Security class or course are taught for a reason. A misconfiguration in a firewall should never get through the cracks, especially for Payment Card providers. I mean aren’t they the ones who publish and enforce the PCI-DSS? A firewall is a first line of defense and should never be a single point of failure. I bet they will try to push some of the blame on Amazon because it was their cloud service where the data was stored.

I realize that cloud solutions are more cost effective and address an availability issue. There is also an inherent risk that the storage hardware is not really under your control. You may be at the mercy of who actually owns it. Even though the servers may be ultimately under AWS control, the decision to rely on AWS cloud was made by Capitol One. I personally don’t see the need to store 14 years of data in an apparently publicly accessible place. Read requirement 3 of PCI-DSS on page 14 in the quick reference guide linked to below.

Data Security

There are safeguards that were not adhered to if it is a firewall misconfiguration that led to the data breach and I will address that in a moment. First though, realize there are 3 states of data. Data at rest, data in motion, and data in use. There are ways to protect the data in all three stages.

What about encryption

This scenario seems to have affected Data at Rest. I only say this because records from 2005 were in the mix and it was being stored. Encryption is supposed to protect data from unauthorized access and use. Hopefully the encryption used was strong and the keys were not compromised.

PCI-SSC Payment Card Industry Security Standards Council

They are the ones who write PCI-DSS(Payment Card Industry – Data Security Standards). PCI-DSS state some pretty stringent rules that must be complied with. The first rule for compliance states that you must Build and Maintain a Secure Network. The first requirement is having firewalls in place and testing whenever changes are made to configurations. Just a bit further along, requirement 3 states that you must PROHIBIT direct public access between the internet and ANY system component in the cardholder data environment.

Well so far we have identified 2 of the first three subsections have been violated. We could even say 3 strikes but they may have complied with the testing when changing firewalls or configurations although it doesn’t look that way.

You can take a look at the PCI-DSS Quick Reference Guide  by clicking on the link or visiting https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
Right on the cover page it makes the following  clear statement
For merchants and entities that store, process or transmit cardholder data

  1. I apologize for the rant but I am getting tired of finding out about these huge data breaches.  In fact I just completed the enrollment for the Equifax settlement credit monitoring service two days ago.

Amazon Scam | A New Twist

Watch Out for Latest Amazon Scam

This new twist for the Amazon scam. It does not contain any links. It does have an attached file which I am sure includes malicious code.

Do you, your family and your employees know how to spot an email scam or phishing attempt? Someone who is an Amazon affiliate may just fall for this one. There are giveaways that are generally consistent with phishing or scams. This one is no exception.

The most glaring one is the from email address. While the shown name is Amazon Marketplaces which may fool some even though is says Marketplaces – should have been Marketplace. The actual email address is not from the Amazon domain., as shown below.

Amazon Marketplaces <reservations@thebistr********dale.com>

Your Amazon Seller Fees VAT Invoice for 6/2019-ID (New-ID: 112-5591137-4708119)-[05/2019]

Dear email.address.was.here,

Please find enclosed an electronic tax invoice for the month of 6/2019 in HTML format. Please note that this invoice is not a request for payment.

To review your account summary or request other copies of your tax invoices, please log into your Seller Central account.

If you have any questions, please contact Seller Support.

Best regards,

Amazon Payments Services

Learn how you can teach your employees to avoid phishing and other scams. This not only helps protect your company but your employee and their family as well from possible scams that can lead to Identity Theft or serious security breaches. Contact us HERE

Quest Diagnostics Data Breach

Quest Diagnostics Data Breech

The most recent Data breach involves Quest Diagnostics. Quest is among the largest medical testing labs on the planet. The unfortunate thing about this breach is the magnitude. Over 12 million people may have had Personal, financial and other information compromised. What’s more Quest was not the party that was hacked. In fact it was a subcontractor who worked for the company Quest contracted with to handle their billing.

Third Fourth Party

This is really bad in many ways other than the 12 million Quest customers who had their information stolen. While Quest was not hacked they are still seen as the responsible party by the customers. Quest uses Optum360 for its billing collections. Optum360 in turn uses AMCA(American Medical Collection Agency) for those services. Apparently AMCA told quest of the breach in mid May but were unsure of when the breach/hack occurred. The story is longer and more involved than I am going to engage in here, but this is the 30,000 foot overview.

Outsourcing

The point here is that you need to be specific when outsourcing operations. You need to know and agree to exactly who is going to be doing the your work. This is especially true when it involves PII, PHI or Financial information. The reason should be clear. The news and other media top stories all imply on the surface that Quest Diagnostics was the company whose systems were compromised. As you know media always wants the most compelling headlines.  If they were to say AMCA was breached, fewer readers/viewers would pay attention.

My question is who else uses AMCA for their collection services. How many other peoples information may have been stolen. What if anything will AMCA, Optum360 and Quest be required to do if identities are stolen.  Can this information be sold to insurance companies? Could it be used against the victims in the future. Perhaps for health care related situations or to increase their premiums.

Are Your Systems at Risk

The details of the breach are still unknown. The fact remains that no business with an online presence is at risk of their systems being compromised. The biggest threat to most businesses is not of being hacked by some nefarious character. It is from inside its own employee base. It could be a disgruntled employee intent on causing as mush damage as possible. Possibly someone who feels they don’t get paid enough exfiltrates proprietary information and sells it to the competition. The biggest insider threat is an uninformed employee. Careless actions like inserting a thumb drive that is of unknown origin or clicking on a link in an email.

Phishing and Pharming

Two types of email scams out there to be watchful for are Phishing and Pharming.

You have likely heard of Phishing but what about Pharming? I will explain both to give you a clear picture of that both are and what you can do to keep from becoming a Pharmed Phish.

Lets start out with Phishing.

Generally a phishing email is designed to get the recipient to take an action. The email is crafted to scare or bait the recipient into clicking a link contained in the email. The link can lead you to a malicious website or even immediately begin downloading a malware package. The links are usually disguised or spoofed to make you think you will be heading to a familiar and safe website.

Pharming can be much the same.

Your email may have been scraped from a website of social media platform. The email is then sent out with the same intent of getting you to click a link or sometimes even opening the email can be enough. The link characteristics are much the same as in phishing – spoofed! The links can also have the same dangerous actions associated with them.

What can you do?

I suggest that you always have a preview pane to that the email does not actually open. This can protect you a little bit. Also set your email program to never automatically download pictures. You can set the trusted email senders individually to automatically show the images.

It is probably a good idea to initially view all emails as plain text and not as html. It is likely a safer way to get your emails and it will also speed up email retrieval.

As you probably got from the above you do not have to actually opt in  to get on someones email list. As is the case with most criminal activity, the phishers and pharmers and scammers do not care about the laws. Your email can be scraped and bought and sold without your consent or knowledge. Legitimate companies do follow the rules and laws and will not randomly scrape emails from the web and try to scam you.

If you receive unsolicited emails it is safer to just mark them as junk and block them than it is to attempt to unsubscribe.

Learn how you can teach your employees to avoid phishing and other scams. This not only helps protect your company but your employee and their family as well from possible scams that can lead to Identity Theft or serious security breaches. Contact us HERE