When stories like this break, be sure to investigate the scope of damage and events that led up to the breach before coming to a conclusion about a companies’ worth. Let’s break down what’s going on with Capital One, the latest victim of a data breach of which the media is running wild with.
It’s a very rare and unlikely event to catch a hacker responsible for such a large data loss, however the FBI has named Paige A. Thompson a suspect in the case and has made an arrest with overwhelming evidence against her. Paige was an engineer for AWS, an Amazon cloud-computing company several years ago, and is accused of finding and exploiting a “configuration error” in a web application associated with Capital One, which was hosted (physically located) in a cloud computing third party providers data center. (AWS has not officially been named the provider at this point.)
What was compromised?
As reported by Capital One, the exploit of the web app resulted in the loss of information related to approximately 100 million individuals in the United States, and 6 million individuals in Canada. https://www.capitalone.com/facts2019/ Capital One reports that:
Importantly, no credit card account numbers or log-in credentials were compromised and less than one percent of Social Security numbers were compromised. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual.
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Beyond the credit card application data, the individual obtained portions of credit card customer data, including:
Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information.
Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.
Whose fault is it?
Understand that an organization’s ability to prevent cyber-attacks does not necessarily equivale to how much they spent on infrastructure to prevent them. In this case, an investigation is under way to uncover the liable party for damages caused due to this breach. On one hand, it could fall on the lap of the cloud computing provider, if proof is found that a lack of maintenance and testing of the resources hosted on behalf of Capital One in the third party data center is found, than they made me held liable. However, in most cases such as these, the fault will return home to Capital One, who will ultimately have to answer to affected consumers.
Who should I be angry with?
It’s natural to be upset with the organization who lost your information, regardless of the reason, and you would be justified in doing so. However, let’s also consider the individual in this case.
If convicted, Thompson will be guilty of finding a vulnerability in the web application used by millions of consumers in North America and exploiting the vulnerability in order to extract consumer data. At this point, this is the only crime Thompson is charged with, as no proof has been found that she disseminated the information.
Large companies often offer what’s called “Bug Bounty Programs” of which a reward is paid to a hacker who discovers a vulnerability which may be used in a data breach. Unfortunately, this may have been Capital One’s largest mistake. In Capital one’s “Responsible Disclosure“ program, https://www.capitalone.com/applications/responsible-disclosure/ no such reward is offered to those who discover vulnerabilities. A simple thank you, followed by some rules and guidelines associated with letting them know their network is vulnerable is listed.
Should Capital One be offering to pay a hacker who discovers a vulnerability such as this for reporting the vulnerability instead of using it to extract data? Probably.
Your opinion is not ours to make up, however, do consider that in this case, the suspected hacker held the keys to a vault of which if opened could negatively effect millions of Americans financial well-being. So, what did she do? She extracted the data and left the vulnerability behind. Should she have reported the vulnerability? Probably.
What should I do?
As stated before, there is no proof at this point that data was sold to or lost to any entity that may use the information against you. The larger problem in the wake of such events is to be on the lookout for phishing campaigns which claim to be either blackmailing you with the threat of selling your Capital One Data, or, trying to protect you from it.
If you do receive these emails or other communications, be sure to validate the legitimacy of the sender before clicking on, communicating with, or otherwise interacting with these communications as they may be tricking you into compromising your machine or releasing sensitive information.