Hitachi

U.S.A.

Hitachi Group Global Network

Americas

Asia

Europe

Middle East and Africa

Oceania

Close

The Capital One Data Breach: Lessons Learned
You are here: Home \ Managed Security Services \ The Capital One Data Breach: Lessons Learned
Capital One Data Breach
Posted on Tuesday, September 3rd, 2019 by

What are the some of the lessons learned from the recent and unarguably massive Capital One data breach?

Data has been likened to gold and oil. Whatever analogy we give it, one thing is for sure, it is a valuable commodity.

The result of this? Data breaches are ubiquitous. One of the latest in a continuing line of breached organizations resulting in eye-watering data exposures is the financial institution Capital One.

In fact, the Capital One breach falls into the mega-breach category. Capital One, like many previous companies that have been victims of mega-breaches, are now facing a class-action lawsuit.

In this blog article, we take a look at what happened and what we can do to prevent our own organization from suffering a data breach.

 

What Happened in the Capital One Data Leak?

In brief, here is a look at the Capital One breach facts:

  • On July 19, 2019, Capital One noted a data breach by an external entity had occurred. The result was a breach of major propositions involving millions of customers and their highly sensitive personal and financial data.
  • 106 million data records in total: 100 million U.S. and 6 million Canadian customer accounts were breached.
  • The data exposed included:
    • Personal data: names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income
    • Status data: credit scores, credit limits, balances, etc.
    • Other data: 140,000 Social Security and 80,000 linked bank account numbers, 1 million Social Insurance Numbers of Canadian customers

.

How Capital One Was Breached

Data Breach

The investigation into how the breach happened continues.

The most likely explanation is that the vulnerability was due to a misconfiguration of an open source Web Application Firewall (WAF). The WAF was, interestingly, hosted in Amazon’s AWS environment, a setup that Thompson would likely have been knowledgeable about.

The breach at Capital One is probably due to a combination of factors. This includes the poor application of resource access permissions, i.e. an IAM privileged account issue, as well as a misconfiguration in setting up the WAF.

Cybersecurity journalist Brian Krebs has attributed the attack to a Server Side Request Forgery (SSRF). Internet security watchdog OWASP describe an SSRF attack as a situation where “the attacker can abuse functionality on the server to read or update internal resources.”

Security misconfigurations have been behind a number of data breaches in recent years. Data breaches such as Suprema and Exactis had similar profiles. In the case of the Exactis breach, which exposed 340 million customer records, the cause was an unauthenticated database that was publicly available.

OWASP identifies security misconfiguration as a top 10 security issue. A study by Threat Stack found that 73 percent of organizations have at least one critical security misconfiguration. The top type of misconfiguration was leaving a secure shell (SSH) unprotected so anyone can remote access a server from anywhere. The other common misconfiguration being the use of first-factor only or using no authentication.

Related post: Security Challenges Facing IT Pros (and How to Overcome Them)

 

What Can We Learn from the Capital One Data Breach?

When securing data, we have a number of considerations. They often dovetail and are dependent on one another – miss out one area and insecurities and risk levels will intensify.

In the case of Capital One, it may be that several planets aligned to increase the probability of a breach occurring. A mix of privileged access misuse, misconfiguration of a WAF, and possibly poor security hygiene, including patch awareness, may all have contributed to the breach.

To avoid our own data breaches, we must ensure that all possible weaknesses are addressed to maintain robust security.

 

How to Improve Your Security Hygiene

To avoid misconfiguration and privileged access misuse, here are some recommendations that may come in handy for you:

  1. Ensure that secure installation of servers and databases follow industry specifications
  2. Create a process for installing web servers and databases that is repeatable and built to industry standard security policy (see the OWASP advisories)
  3. Always use the most robust authentication supported by the application, at least two-factor and ideally, risk-based authentication
  4. Ensure that privileged access is correctly privileged and not open to all
  5. Have an enforceable policy that requires updates and patches to be regularly applied
  6. Perform pre-production penetration testing (“ethical hacking”) and production pen testing of your implementation to ensure the system is hardened against known attack vectors
  7. Monitor and Audit. An often-forgotten area is the use of logs and audit monitoring across a network. Audited events can offer a view of a security event allowing you to forensically analyze unusual patterns and behaviors.
  8. Prepare all staff, including IT administrators, by carrying out security awareness training that is pertinent to their level of understanding and needs

Related Post: 10 Best Practices for Choosing a Penetration Testing Company

Penetration Services - Hitachi Systems Security

 

A Managed Security Services Provider (MSSP) can offer you a cost-effective way to cover the areas needed to avoid a data breach. The security expertise available to organizations who make use of managed security services ensures systems are correctly set up and secured.

Related post: General Benefits of Using an MSSP

 

Additional Recommendations

Other recommendations that should warrant consideration and that can help maintain good data governance include:

  • Only collect data you really must to maintain your service
  • Carry out regular risk assessments on the data you have collected
  • Place security as a design goal when developing overall infrastructure and architectures when dealing with data

.

Capital One, the Fallout?

Morgan Stanley estimates that Capital One may have to pay up to $500 million in costs associated with the breach. Also, the share price of Capital One dropped around 6% after the breach.

In addition to hefty fines and shareholder price drops, companies that experience breaches involving a loss of customer data end up losing much more than just money. The loss of customer trust and, in turn, loyalty, is an intangible cost that can take years to recover from.

Data breaches have far-reaching impact and should be a priority in terms of risk-mitigation for an organization that handles data. Proper attention to the details of security is needed to ensure that preventable issues such as misconfigurations do not offer cybercriminals your customers’ data on a plate.

To learn more about 8 critical steps to improve your organization’s cybersecurity hygiene, download our free infographic:

Infographic Security Hygiene

Avatar
About author:

Latest Webinars | Watch Now

 

The Next Generation of Managed Security, in collaboration with PCM.

Watch Now

Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance, in collaboration with Nymity.

Watch Now