While large-scale corporate data breaches are now the norm rather than the exception, the recent Capital One data breach stands out for its size, with over 100 million affected individuals in the United States and Canada. That alone makes the data breach one of the biggest ever. Throw in the fact that the hacker behind the Capital One data breach managed to walk away with over 140,000 Social Security numbers; 1 million Canadian Social Insurance numbers; and linked bank account numbers for over 80,000 credit card customers and you can start to see why class action lawsuits are appearing all over against Capital One. Based on available evidence, Capital One appears to have been negligent in its handling of very sensitive personal information. That, in turn, is leading to a lot of serious questions being asked about what happens next after this massive Capital One data breach.
Details of the Capital One data breach
When news of the Capital One breach first broke on July 19, the initial thought was that a group of sophisticated hackers had discovered some new zero-day exploit within Capital One’s computer code, enabling them to access the consumer data. But that data breach narrative was quickly discarded as law enforcement authorities arrested and charged Paige Thompson, a 33-year-old former Amazon Web Services software engineer, with computer fraud. As it turns out, Thompson had been publicizing news of her exploit (which dated back to March 2019) all over the web, and it was only a matter of time before law enforcement got involved. Not only was Thompson blatantly posting about her access to the Capital One data on social media, but also she was uploading information related to the Capital One data breach on GitHub, the popular code-sharing platform. And she was doing so without using any kind of alias or assumed identity – everything was right there, out in the open.
The fact that Thompson was so blatant in describing and publicizing the Capital One data breach is one good reason why it could be so easy to bring class action lawsuits against Capital One. And that already appears to be the case. In Connecticut, for example, there is already a class action lawsuit (Kevin Zosiak et al. vs. Capital One Financial Corp.) that has been brought against the Virginia-based company, which ranks as the fifth-largest credit card issuer. And, in New York State, the State Attorney General has already promised an investigation into the case, which could lead to further legal action being taken against Capital One. In one other class action lawsuit, both Capital One and GitHub (where the hacker was posting about the data breach) are named as defendants, due to their overall negligence in protecting valuable consumer data. Given the size and scale of the breach – affecting over 106 million credit card customers across North America who filled out credit card applications – it’s possible to speculate that Capital One’s legal headaches are just beginning.
“Hackers are more sophisticated and targeted with their attacks than ever before, resulting in massive vulnerabilities for even the world’s largest organizations. These threats are made worse by the distributed nature of today’s workforce with employees using their own devices and constantly accessing cloud-based applications,” said Paul Martini, co-founder and CEO of iboss, “Consumers and companies alike need to recognize the current threats to their personal information and implement the necessary barriers to protect themselves against the variety of attacks being waged. It will be interesting to learn about the length of time it took for Capital One to detect and respond to the attack. These two components are critical in minimizing the severity of attacks as well as preventing future data breaches and while Capital One is armed with the resources to respond quickly, other organizations who aren’t in the same position will struggle.”
The role of cyber insurance in data breaches
Perhaps the only factor that is currently in Capital One’s favor is that it holds over $400 million in cyber insurance coverage. This is subject to a $10 million deductible, but would appear to be more than enough to cover all legal and regulatory contingencies related to a massive, large-scale data breach. The big question, of course, is whether Capital One’s cyber insurer will actually pay out – and if it does, if it will be willing to cover the full costs associated with the Capital One data breach. In the past, for example, other cyber insurers have refused to pay out, citing a confusing mix of reasons why they should not be on the hook. In theory, if the cyber insurance company can prove that Capital One lacked adequate internal security controls to prevent such a data breach in the first place, then it will go a long way towards insulating the insurer from future insurance claims.
Thus, here’s perhaps one of the biggest implications of the Capital One data breach – if a company goes the full measure of actually taking out a costly cyber insurance policy, and the cyber insurer refuses to pay, then why would anyone really want to take out a cyber insurance policy in the future? In terms of analogies, you can think of the 100-million-custome Capital One data breach as the sort of mega-breach that would qualify as a “storm of the century” or other type of catastrophic storm within the traditional insurance industry. In those types of cases, consumers who take out a policy for their home if, say, they live along the coastline in an area known to be subject to hurricanes or cyclones, generally expect to be paid out and made whole if their homes are destroyed as the result of a catastrophic event. In North America, any insurer that tried to skip out on paying such hurricane claims would be shunned and treated with opprobrium. So why should it be any different with cyber insurers that refuse to pay out in the case of similar “storms” (i.e. mega-data breaches)?
The perils of storing data in the cloud
The Capital One data breach also raises some very serious questions about the safety and security of storing sensitive data in a public cloud. In the case of Capital One, the credit card issuer was storing all sorts of sensitive data – including names, addresses, dates of birth, credit scores, credit limits, and transaction data – in the Amazon cloud. That helps to explain how an Amazon Web Services (AWS) employee was able to access the data so easily. For a growing number of companies around the world, it’s now commonplace to store data on Amazon’s public cloud, and AWS is actually one of the most profitable divisions of Amazon due to the popularity of public clouds.
When reading through the details of the Capital One data breach, it becomes obvious that tapping into the credit card issuer’s data did not require a high level of expertise. Yes, it required someone familiar with Amazon’s public cloud, but just about any mid-level employee could have pulled this off. Paige Thompson, the alleged hacker in this case, simply took advantage of a misconfigured open-source Web Application Firewall (WAF) on Amazon Web Services. The exact type of cyber attack was a Server-Side Request Forgery (SSRF) attack, which basically means that the hacker was able to trick the server into running commands that it shouldn’t be running. According to security experts, this is the type of security vulnerability that faces all organizations (regardless of size or sophistication) that use public clouds for data storage.
In the case of the Capital One data breach, the public cloud in question belonged to Amazon. But there are plenty of other companies offering public cloud storage, and so this is really a big question for corporations to figure out: if they decide to use a public cloud from Amazon or Google, are they really prepared for the potentially disastrous consequences of doing so? Unlike a proprietary data storage solution, public clouds by their very nature are at least partially open source. That makes them widely available and widely accessible, and may help to explain why the hacker decided to share all the details of her security exploit on GitHub, a known and respected code-sharing platform.
Giora Omer, Head of Security Architecture at Panorays, suggests that this Capital One data breach will have far-reaching implications: “An interesting aspect to consider in this breach is that Capital One also serves as a supplier for businesses. It has an outstanding security team and the highest standards and methodologies in cybersecurity, particularly in the cloud. Therefore, this breach illustrates how every company is vulnerable – it could be a large, small, critical or low risk supplier. Companies working with suppliers need to make sure of the security standards put in place at the consumer, the type of data that they are sharing with that supplier and how to mitigate risk in case the supplier is breached. Hopefully for Capital One, the different controls put in place, including bounty programs and tokenizing sensitive data, will prevent this breach from becoming Equifax 2.”
Consumer response to the Capital One data breach
Another big question, of course, is what consumers can do to protect themselves from these large-scale data breaches. The Capital One data breach is just the latest in a long series of very public and very embarrassing data breaches that have affected some of the biggest corporations in the world, including Marriott, Target, Home Depot and Equifax. So what can consumers realistically do if they think that they have been the victim of a data breach?
Perhaps the first step to take is to freeze your credit. This relatively simple step can help to protect you from identity theft, or the risk of someone taking out a fraudulent line of credit in your name. The next step is to sign up for some form of monitoring and identity protection service, in order to monitor unexplained changes to your account information. Doing so can help to prevent damaging information from showing up on your credit report and otherwise causing harm to your overall financial standing. Given the scale and scope of the Capital One data breach, the company has promised to provide free credit monitoring and identity protection services to any of the 100 million+ credit card customers affected by the data breach. And, finally, it’s important to be aware of typical “phishing” scams, in which hackers attempt to trick you into revealing details of your personal identity or your financial data. Some security experts are already warning that we could soon be seeing a deluge of phishing scams, as hackers from all over the world pretend to be representatives from Capital One.
A new paradigm for data breaches
What is most concerning about the whole Capital One data breach is just how “normal” it has become. Security data breaches are so routine these days that many consumers are numb to them. They simply throw up their hands, refuse to take action, and assume that their personal information is probably out there anyway, floating around the Dark Web for hackers to find. If it’s not Capital One, then it’s some other trusted data steward to blame.
That, of course, would seem to call for a new paradigm when it comes to data breaches. The current system – in which companies suffer major breaches and customers pay for it – is no longer working. Simply making cyber insurance a more popular option for huge corporations is not really a solution, either, because it only guarantees that companies will not take their security as seriously as they should. Borrowing an analogy from the insurance world, they would likely assume that any mega-breach is similar to a mega-storm – it’s an act of nature, and nothing can really be done to prevent it. But that’s not the case – there’s plenty that corporations can and should be doing to prevent these mega-breaches. Simply throwing up their hands or burying their heads in the sand is not the solution. That, if anything, should be the big takeaway lesson from the Capital One data breach.