Capital One Data Breach Highlights Need for Supply Chain Security
If Capital One’s in your wallet, you may have a problem.
Capital One has confirmed that a malicious hacker gained access to more than 100 million of its customers’ accounts and credit card applications earlier this year. The data breach affected about 100 million individuals in the United States and about 6 million in Canada.
The largest category of information accessed was information on consumers and small businesses from when they applied for credit cards from 2005 through early 2019. This information included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income.
Other information included credit scores, credit limits, balances, payment history, contact information, about 140,000 Social Security numbers of credit card customers, and about 80,000 linked bank account numbers of secured credit card customers.
The FBI has arrested Paige Thompson, a former AWS employee in Seattle, for allegedly hacking into a server rented by Capital One.
“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” the bank said. “However, we will continue to investigate.”
Chet Wisniewski, principal research scientist at Sophos, tells us the loss of consumer information at Capital One is another example of a trend in data loss incidents that are becoming increasingly commonplace — especially in recent months.
“Supply-chain security is a critical component for information security, and as organizations embrace cloud technology, they need to understand and address the inherent risks to information stored there,” he said. “Securing every aspect of the supply chain has never been more important, and that not only includes the physical and software components of information systems, but also staff and the staff of those who provide you with the services needed to deliver your product.”
Protecting sensitive information you have been entrusted with applies whether that data is stored on your own computer equipment or someone else’s, Wisniewski said.
“Encryption and access control is essential regardless of where, and especially if, you are storing sensitive business data,” he said.
Rob Cataldo, Kaspersky‘s vice president of U.S. enterprise sales, tells us it appears the attacker exploited a misconfigured web application firewall that gave her privileges to access S3 data on a cloud-hosted server. Without knowing the extent to which this misconfiguration occurred or the exact method used for exploitation, it’s difficult to tell whether an improved posture may have prevented the breach from happening, he said.
“Unfortunately, this event validates that data breaches are becoming inevitable, even for organizations with sizable investments and resources dedicated to cybersecurity,” he said. “This being the case, security vendors and MSSPs should be proactive in ensuring their customers are optimally configured and trained through proper customer life-cycle management, the result of which could be prevention or earlier detection of a breach. Moreover, vendors and MSSPs with knowledge in this space should help prepare organizations in case of a breach to best minimize the damage caused through authoritative, appropriate, accurate and timely actions.”
Monique Becenti, product and channel specialist at SiteLock, tells us a breach like this indicates that even digitally minded organizations can be impacted by a cyberattack. Data breaches not only impact operations, but can jeopardize …