Financial services company Capital One suffered a breach that exposed the data of roughly 100 million individuals in the U.S. and approximately 6 million people in Canada. The breached data included 140,000 U.S. Social Security numbers, 80,000 bank account numbers, and 1 million Canadian Social Insurance numbers. According to the bank and the U.S. Department of Justice, the breach also impacted an undisclosed number of names, addresses, credit scores, transaction data and other information. Federal prosecutors said the stolen “data varies significantly in both type and amount,” but “much of the data appears not to be data containing personal identifying information.”
According to the federal court filing, the person accused in the breach is a former Amazon employee, Paige A. Thompson, who allegedly exploited a misconfiguration in a web application firewall to steal the data from an AWS database. The hacker got access to personal information related to credit card applications at Capital One. The filing also stated that the hacker accessed data of “other companies, educational institutions, and other entities.”
According to Capital One, the breach took place on March 22 and 23, 2019. However, it remained undiscovered until July 17, when an external security researcher notified the bank through the Responsible Disclosure Program. Capital One then fixed the misconfiguration. Thompson was arrested and charged with stealing data. The government continues its investigation.
Capital One is working to notify data breach victims and plans to provide free credit monitoring and identity protection. The company expects the breach to cost between $100 million and $150 million, including the costs for customer notifications, credit monitoring, legal support and tech expertise.
The Capital One hack is a textbook example of a data breach: a misconfiguration due to a human error, an attacker who found that vulnerability, and a company that couldn’t spot the unusual activity in time to prevent a massive data breach that left millions of people at risk of becoming victims of fraud or identity theft. Because this breach involved a progressive bank with a strong online presence, it caused an uptick in discussions around cloud security risks.
In this article, we explore the most important questions regarding cloud security and share some comments we heard from IT security pros.
How would you know that you’ve been breached?
As a major player in the highly regulated finance industry, Capital One was well aware it was an appealing target for cyberattacks. Following modern security best practices, they took an assume-breach posture, and had a team of risk managers and cloud engineers develop a cloud risk framework as part of their cloud migration strategy. They clearly had a well-thought-out incident response plan, since once they were informed of the data breach, they were able to trace the attacker’s steps. However, they were unable to detect the threat before the attacker could steal their sensitive data.
To avoid the same fate, companies should ask themselves these three questions:
- Can we detect unusual activity? Security best practices require organizations to ensure they can spot aberrant behavior with technologies like user behavior analytics. It’s vital to monitor spikes in user activity, such as a large number of failed access attempts or file modifications, as well as all unusual attempts to access sensitive data.
- How effective is our detection system? All too often, security teams miss alerts on truly suspicious activity because they are overwhelmed by a sea of false alarms. To reduce the noise, ensure that your detection system is configured correctly, and integrate it with solutions that automatically filter out unimportant events or consolidate multiple events into one. Make sure that your IT and security departments have the resources they need to do their jobs effectively.
- Do we have the skills to prevent, spot and mitigate human errors? Gartner reports that nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement or mistakes. You can’t rely solely on cloud providers to ensure security in the cloud; you need to make sure your cloud security teams have a deep understanding of cloud security and know how to identify and fix missing or weak cloud security controls. Give them the right tools to help them focus on what really matters in your environment, and provide regular training that boosts their expertise in tackling the evolving challenges of cloud security.
Attila Tomaschek, Digital Privacy Expert 
Proper security monitoring practices by Capital One could have detected the unusual activity and perhaps stopped the attacker in her tracks right away, or at least minimized the damage. Companies need to make certain that they have the necessary security strategies and procedures in place to continually monitor and detect unauthorized access to their systems in the cloud. Implementing artificial intelligence tools can be very effective in mitigating cyber risks. Similarly, even though this wasn’t quite the case in the Capital One hack, companies need to be very careful with access level authorizations to ensure that only those individuals have access to critical systems that absolutely need access to them.
Do you have control over your sensitive data in the cloud?
The cloud offers a lot of benefits, from ease of collaboration to lower IT costs. But while Capital One made AWS a key part of its technology strategy, many businesses are far less enthusiastic about the cloud — mainly for security reasons. According to the 2019 Netwrix Cloud Data Security report, almost half of organizations that store all their sensitive data in the cloud are considering moving it back on premises, often because of security concerns.
To avoid this situation, organizations should take a data-centric security approach. There is no lack in security tools that can provide advanced levels of protection, and most quality cloud service providers supply tools to help customers secure their data.
The following best practices are necessary to establish control over sensitive data:
- Get an in-depth understanding of your data. Use discovery and classification to get deep insight into your data. With that detailed understanding, you can implement appropriate security policies, such as prohibiting the storage of highly sensitive data in unapproved cloud services.
- Document your security policies and train users on them. Explain how sensitive data should be handled and which security mechanisms it requires. Inform users of the rules of expected behavior.
- Control access to data. Rigorously enforce the least-privilege principle. Review access rights at least every six months, as well as after each important event, like an employee termination.
- Use encryption. Determine which data needs to be encrypted, develop appropriate policies and apply those policies consistently. Encryption keys should be kept securely by trusted individuals.
- Regularly look for weaknesses. Think like a cybercriminal and proactively look for security vulnerabilities. Security experts recommend running risk assessments at least once a month.
Dominic Sartorio, SVP of Products and Development at the data-centric security firm Protegrity
The best plan to get control of your cloud data is by implementing and managing your own approaches and technology for data security — before any data is sent to the cloud. They should match at least the level of security that you expect in internal environments, such as databases or file systems. Security needs to be systemic. You need to approach the problem by first selecting technology that can provide the required security services. This also means that, in many cases, you don’t allow the cloud provider to control your data. Instead, you leverage a security approach and technology that spans from your enterprise to the cloud, allowing you to control data security systemically, in any places that the data exists.
How are security responsibilities divided between our IT teams and our cloud provider?
When cloud computing was in its infancy, high security in public cloud environments was kind of an oxymoron. Today, however, cloud service platforms offer a variety of security mechanisms. Nevertheless, responsibility for the security of your data does not rest solely on the shoulders of your cloud providers. Gartner predicts that “through 2022, at least 95% of cloud security failures will be the customer’s fault.”
While Amazon Web Services offers remote data servers for data storage, Capital One used their own web applications running on top of Amazon’s cloud data. So, it is not surprising that Amazon has distanced itself from the recent data breach, saying that clients are responsible for the applications running in their cloud environment and the data stored there.
Regardless of where your data resides, it’s your responsibility to protect it against cyber threats. You should clearly define the roles and responsibilities of your cloud providers and your company.
Peter Richards, CTO, Cloudreach
The knee-jerk reaction here will be to blame the cloud — since the alleged culprit appears to be an AWS employee who gained access to a compromised server. But the truth is, all of this is possible no matter where the server was housed. Public, private, hybrid or on-prem — none of them would have been secure. In some respects, the fact that the environment was supported on AWS was a positive. It was easier to diagnose the problems and then address them, since evidence of logging couldn’t be removed. The fact is, a person hacked Capital One, not a cloud provider.
Conclusion
The details of the Capital One breach reveal a disturbing truth: What happened to the cloud security pros at Capital One could happen to anyone. You might have a security gap that leaves the door open for attackers even if you are using a trustworthy cloud provider and have a strong security team.
The breach highlights the importance of keeping alert to unusual activity and proactively mitigating security gaps to help prevent breaches. Being prepared to respond to attacks is also critical, since it’s not a question of “if” you will suffer a breach, but rather a question of “when” it will happen.
