The Capital One Breach: Its Impact and What It Teaches Us About Cybersecurity
One hundred million. That’s how many people were affected by the data breach at Capital One, one of the largest credit card issuers. And that’s just in the U.S. Another six million Canadian records were also compromised. The alleged perpetrator was a former software engineer in Seattle, who managed to breach AWS S3 storage buckets through a multi-step targeted attack. The root cause was apparently a misconfigured firewall in the Capital One AWS infrastructure.
Losses suffered by Capital One will include everything from the cost to remediate the breach to the bank’s reputation. Not to mention the possibility of an enormous settlement—breaches continue to get more costly. Just last week Equifax announced it will pay out between $575-700 million as part of the settlement stemming from its massive 2017 data breach.
In Capital One’s case it issued a statement that assured no credit card account numbers or log-in credentials were compromised, nor were 99 percent of Social Security numbers. What was compromised according to Capital One was “personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.”
No Company Is Immune from Cyberattacks; Not the Biggest, Not the Smallest
Cybersecurity will always be an ongoing challenge for companies of every size. Capital One is a pioneer in cloud computing and has dedicated considerable resources to ensure the security of its infrastructure, including a fully-staffed and skilled security team. Still, they’re simply the latest firm to suffer a major breach.
Companies must employ best practices to reduce their risks of having what happened to Capital One happen to them. Here’s what Arctic Wolf recommends:
- Configure with least-privilege in mind: Ensure your policies allow the fewest actions and access to resources as possible. While the story is still emerging, one apparent contributor to the breach was in and identity and access management (IAM) role that had excessive privileges.
- Revise and test-run your incident response plan: This is one area where Capital One was prepared. They became aware of the breach via an email tip on July 17th and reported to the public on July 29th in a transparent, orchestrated way. Establishing and practicing your incident response plan that includes all constituents (including legal, PR) will give you some degree of control and help alleviate a potentially disastrous situation.
- 24/7 Monitoring: Capital One determined what happened reasonably quickly, probably using CloudTrail logs. In most cases, monitoring will surface anomalous activity, allowing you to halt a compromise in its tracks before it becomes a catastrophic breach. Around-the-clock monitoring is essential, as cybercriminals can strike at any time, from anywhere in the world. You need to continuously monitor user and admin activity to look for suspicious authentication/login activity, policy or configuration changes, privilege escalations, etc.
Arctic Wolf™ Managed Detection and Response provides the monitoring you need, both on-premises and in the cloud (AWS, Azure, O365, GSuite, SFDC, Box among various cloud services). For Arctic Wolf MDR customers monitoring AWS infrastructure, a configuration change generates an alert for our Concierge Security™ Team for evaluation and possible escalation. Learn more about our MDR solution now.