Hard-Earned Lessons about Cloud Computing in the Capital OneData Breach
One of the largest-ever thefts of financial data, the data theft at Capital One, has come to light early this week. This latest data breach has given the business community many hard-earned lessons about cloud computing.
Last July 29th, Capital One Financial Corporationdisclosed that on July 19, 2019, it determined that information relating to individuals who had applied for the company’s credit card and credit card products was illegally accessed. Capital One said the data theft event affected approximately 100 million individuals in the U.S. and approximately 6 million in Canada.
The company said the largest category of information that was illegally accessed was information that the company collected from 2005 through early 2019, specifically personal information that the company routinely collects at the time it receives credit card applications, including names, dates of birth, addresses, self-reported income, zip codes/postal codes, phone numbers and email addresses.
In addition to credit card application data, Capital One said, the perpetrator also illegally accessed customer status data (credit scores, credit limits, balances, payment history, contact information); portion of transaction data for a total of 23 days during 2016, 2017 and 2018; approximately 140,000 Social Security numbers of credit card customers and approximately 80,000 linked bank account numbers of secured credit card customers. The company added that approximately 1 million Social Insurance Numbers of Canadian credit card customers were illegally accessed.
According to Capital One, this data breach will cost the company approximately $100 to $150 million in 2019. The expected costs, the company said, will be driven mostly by customer notifications, credit monitoring, technology costs and legal support.
The trove of data illegally accessed was stored in Amazon cloud service. Amazon offers its large enterprise customers like Capital One to build their own web applications in storing data on top of Amazon’s cloud data to accommodate the specific needs of these large organizations. Amazon told the New York Timesthat its customers fully controlled the web applications they built.
Amazon said it had found no evidence that its underlying cloud services were compromised. Capital One, for its part, said that itimmediately “fixed the configuration vulnerability”that the perpetrator exploited.
Indictment
The U.S. Department of Justice (DOJ), U.S. Attorney’s Office, Western District of Washington, in a statement said that last July 29th, a Seattle resident was arrested for the intrusion on the stored data of Capital One. Amazon confirmed to Wiredthat the arrested Seattle resident is a former employee.
In the indictmentdocument released by the DOJ, Joel Martini, Special Agent at the U.S. Federal Bureau of Investigation (FBI) attested that the arrest came about as a result of a tip sent via the official email for responsible disclosure of Capital One. The email states that there appeared to be leaked data belonging to Capital One on someone’s GitHub account and provided the address of the GitHub file containing this leaked data.
As stated in the indictment, the said GitHub file, which contained a list of over 700 folders and code for three commands, was checked by Capital One. Capital One found that the first command, when executed, provides security credentials to an account called “Role”(for brevity here) that enabled access to certain storage space at Amazon cloud service; the second command, when executed, used the Role account to list the names of the folders in Capital One’s storage space at Amazon cloud service; and the third command, when executed, used the Role account (which has the requisite permissions) to extract or copy data from the above-mentioned folders.
According to FBI Special Agent Martini, the GitHub account turned out to belong to the arrested Seattle resident who goes by the handle “erratic”in many of her online accounts, including Twitter and Slack. Martini said erratic exploited Capital One’s cloud data via a misconfigured web application firewall.
Cybersecurity Best Practices
Here are some cybersecurity best practices in order to prevent a Capital One-like data breach:
1. Conduct Regular IT Audit
The Capital One data breachcould have been prevented through regular IT audit. One of the areas covered in most IT audit is misconfiguration. In the case of Capital One, an IT audit could have identified the misconfigured web application firewall.
The role supposedly of a web application firewall (WAF) is to filter, monitor and block traffic to and from a web application. In the case of the Capital One data breach, FBI Special Agent Martini said on or about March 12, 2019, IP address beginning with 46.246 attempted to access Capital One’s data.
Based on publicly-available records, the Special Agent said, this IP address is controlled by a company that provides VPN services. A properly configured WAF could have blocked the access attempts of unfamiliar IP addresses.
2. Encrypt All Critical Data and Protect the Decryption Key or Keys at All Cost
According to Capital One, it encrypts its data as a standard. “Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of data,”Capital One said.
Encryption is the process of converting texts into code that people can’t understand. For this incomprehensible code to be brought back to plain text, a decryption key is needed. Protecting this decryption key is as important as encryption itself.
3. Refrain from Storing Unnecessary Old Data
Keeping decades-old data in the cloud is a security risk, not to mention, resource-driven. In the case of Capital One, a portion of the data that was hacked dates back to nearly 2 decades ago, data that may no longer be up to date such as phone numbers. Chances are people have changed their phone numbers due to the advancement of telecommunications.
Cybercriminals don’t discriminate. Conducting regular IT audits is key to protecting your mission critical information. Trust our experts with years of experience protecting Canadian businesses. To identify weaknesses and receive an actionable defence plan, call us today (416) 920-3000or email sales@genx.ca