Capitol One Data Breach

The latest Data Breach is here

Yep, Another Capitol One bites the dust in the most recent of the financial Data Breach. This one is massive. It is estimated that over 100 million Americans and six million Canadian individuals are affected. These data breaches seem to be getting more and more common.

The FBI

has apparently charged a woman with computer fraud and abuse. She is a former employee of AWS. Her resume’ states she was a systems engineer at a cloud computing company. Amazon spokesperson did not reply to a request for comment. It is reported that a misconfigured #Cloud firewall is the attack vector. Sounds kind of fishy to me.

The bulk of the exposed data involves information including addresses, dates of birth and self-reported income. Wall Street Journal

Other information compromised in data breach

The data breach is believed to include credit scores, payment histories and credit limits. Those affected are said to be individuals and businesses that applied for Capitol One credit cards between 2005 and 2019.

Capitol One

Chairman and chief executive, Richard D. Fairbank, expressed his “deep sorrow” for the data breach incident and his commitment to making it right. While this sounds good I am highly skeptical about his concern. I doubt it is more than lip service to quell the ire of those affected and the general public. Sounds like the typical ‘çover your ass’ strategy to me.

The reason I say this is because only 38% of C-suite members said they would work with the security team to solve a security issue. from my article on July 2 2019. You may also want to read Top 5 Excuses For Not Having a Cyber Security Program article I wrote on May 17, 2019. While the article focuses on companies with a smaller budget I wonder how many of the excuses will come into play here.

I understand that one of the CEO’s main responsibility is to ensure profitability of the company. Does that mean protecting the PII of customers from a data breach is secondary at best? I am only speculating here but something just isn’t sitting well with me. If we really dig into the underlying causes of these breaches what will we find? Will we discover security costs were minimized to allow for increased profit margins?

Will Fairbank actually take responsibility? I highly doubt it. I figure he will be allowed to retire with a healthy ‘Golden Parachute’ plan and fade into obscurity. While he may not be directly responsible, it happened on his watch.

What about the safeguards to prevent  a data breach

Safeguards we are taught about in every Cyber Security class or course are taught for a reason. A misconfiguration in a firewall should never get through the cracks, especially for Payment Card providers. I mean aren’t they the ones who publish and enforce the PCI-DSS? A firewall is a first line of defense and should never be a single point of failure. I bet they will try to push some of the blame on Amazon because it was their cloud service where the data was stored.

I realize that cloud solutions are more cost effective and address an availability issue. There is also an inherent risk that the storage hardware is not really under your control. You may be at the mercy of who actually owns it. Even though the servers may be ultimately under AWS control, the decision to rely on AWS cloud was made by Capitol One. I personally don’t see the need to store 14 years of data in an apparently publicly accessible place. Read requirement 3 of PCI-DSS on page 14 in the quick reference guide linked to below.

Data Security

There are safeguards that were not adhered to if it is a firewall misconfiguration that led to the data breach and I will address that in a moment. First though, realize there are 3 states of data. Data at rest, data in motion, and data in use. There are ways to protect the data in all three stages.

What about encryption

This scenario seems to have affected Data at Rest. I only say this because records from 2005 were in the mix and it was being stored. Encryption is supposed to protect data from unauthorized access and use. Hopefully the encryption used was strong and the keys were not compromised.

PCI-SSC Payment Card Industry Security Standards Council

They are the ones who write PCI-DSS(Payment Card Industry – Data Security Standards). PCI-DSS state some pretty stringent rules that must be complied with. The first rule for compliance states that you must Build and Maintain a Secure Network. The first requirement is having firewalls in place and testing whenever changes are made to configurations. Just a bit further along, requirement 3 states that you must PROHIBIT direct public access between the internet and ANY system component in the cardholder data environment.

Well so far we have identified 2 of the first three subsections have been violated. We could even say 3 strikes but they may have complied with the testing when changing firewalls or configurations although it doesn’t look that way.

You can take a look at the PCI-DSS Quick Reference Guide  by clicking on the link or visiting https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
Right on the cover page it makes the following  clear statement
For merchants and entities that store, process or transmit cardholder data

  1. I apologize for the rant but I am getting tired of finding out about these huge data breaches.  In fact I just completed the enrollment for the Equifax settlement credit monitoring service two days ago.

Leave a Reply