15 Aug Data Security Lessons: How the Capital One Data Breach Could Have Been Prevented
According to a study from cybersecurity researchers at the University of Maryland, hackers across the globe are now launching attacks every 39 seconds. In this type of environment, it’s no surprise when news of the next big hack comes to light.
Recently, the latest victim in a long line of companies impacted by data breaches is Capital One. The credit card company reported that an individual had broken into its secure servers toward the end of March 2019, and had successfully breached credit card application data from as far back as 2005.
But how exactly did this hack take place? And are there ways in which it could have been prevented?
The hack: What happened?
At the end of July, reports surfaced from several sources including CNN that a cybercriminal had breached and accessed the accounts and credit card applications of more than 100 million Capital One customers. Surprisingly, the hack was discovered after the not-so-careful hacker offloaded the stolen information to a GitHub page, using her own real name. After being reported by other users, law enforcement tracked down Paige Thompson, a 33-year-old living in Seattle who previously held a software engineering position with Amazon Web Services.
While the attack is still being investigated, the Washington Post reported that the hack was successful thanks to a misconfigured firewall within Capital One’s cloud infrastructure.
“The hole meant a hacker could reach the server where Capital One was storing its information and access customer data,” Washington Post contributor Rachel Siegel wrote.
Although a breach of this scale is never good news, there are certainly lessons to be learned from Capital One’s attack. And, unfortunately, it’s possible that the hack – and the subsequent compromise of millions of customers’ data – could have been prevented.
Security lessons learned and applied
There are a few key factors to take note of in this instance that companies can apply to improve their own data security structures.
1) Know what you have
First things first, it’s imperative that organizational, IT and security leaders have an in-depth understanding of the data that they store and use, particularly details and information related to customers. After all, businesses cannot design data governance rules and effectively safeguard sensitive information if they are unaware that it even exists.
Stakeholders should work to identify all the information their company stores and uses, especially that which is particularly sensitive. Highly sensitive data should only be used and/or stored when it’s absolutely necessary, and in these instances, the information should be safeguarded with the strongest protection possible.
It’s important to note, however, that this is not a one-and-done initiative. Business processes are changing all the time, and with these adjustments come changes to and/or additions in data. It’s imperative that stakeholders remain on top of their information assets, securely delete data that is no longer necessary, and ensure robust data backups.
2) Follow data wherever it goes
In addition to understanding the data the company has and uses, it’s also critical to know where this data lives, where it is accessed and where it is stored. This includes not only the employee end-user and mobile devices but cloud environments as well. Like the Capital One breach shows, even something as simple as an improperly configured firewall between on-premise and cloud environments can be a security downfall.
Improve protection of data locations by implementing top security strategies like multi-factor authentication, application whitelisting, rule-based access privileges, and overarching security monitoring.
3) A watchful eye on compliance
Personally identifiable data – encompassing customer details like names, addresses, Social Security numbers, etc. – are typically beholden to industry-wide compliance rules and standards including the EU’s General Data Protection Regulation (GDPR) and the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Ensuring alignment and compliance with these rules should be a top priority within every organization, and can help close common security gaps that can leave the door open to hacker activity.
The right tools for the job
With the right risk-focused mindset and strategic tools in place, companies can achieve the kind of critical data security that can prevent cybercriminal intrusion, protect sensitive customer information and maintain the reputation of their brand.
Tools like PhantomWatch’s Security Posture Framework can help IT and data security leaders keep track of the information they have, maintain oversight of its location and prioritize its critical security.
Additionally, the Cyber Resiliency Platform enables users to better support their compliance through the creation and continual improvement of a risk register that is unique to the business.
To find out more about these solutions and the other capabilities possible through Pinnacle’s strategic partnership with PhantomWatch, check out the slide presentation and connect with us today.