Wednesday, July 31, 2019

Casting Shadow Over Cloud Security, The Capital One Data Breach


Capital One Breach Casts Shadow Over Cloud Security

Massive data exposure highlights sustained risk from poor information-protection practices

Capital was an early adopter cloud computing among Photo: Richard Drew/Associated Press
One of the highest-profile hacks of consumer-banking data has sent financial institutions scrambling to figure out how millions of records at one of the biggest proponents of cloud-computing were exposed.
Capital One Financial Corp. COF +1.34% , the fifth-largest U.S. credit-card issuer, said Monday that information of roughly 106 million card customers and applicants was exposed in one of the largest data breaches of a big bank.
The data was stored on Amazon.com Inc. ’s cloud, according to a federal criminal complaint and people familiar with the matter. The avenue of entry, the companies and investigators said, was a poorly configured firewall—a mechanism designed to wall off privately operated digital systems—that a hacker breached.
Both companies say controls around the data, rather than use of the cloud, were the problem. Still, the data was stored in the cloud, raising questions about whether Capital One put insufficient safeguards in place to lock down customer records when it adopted cloud technology. And the accused hacker’s tenure as a former employee of Amazon’s cloud business highlights the risk—previously little appreciated—of an insider threat.
Cloud computing has boomed as companies have increasingly turned to providers such as Amazon and Microsoft Corp. to do the work of configuring computers inside their own data centers. The processing power of those servers and storage devices is then rented out to cloud customers, who pay depending on how much work the computers do.

Data Downers

The Capital One breach joins a list of episodes in recent years.

 

Capital One was an early adopter of cloud-computing among financial institutions as many other banks hesitated to move customer data out of their data centers. But the global cloud business has expanded—including among banks—as companies such as JPMorgan Chase & Co. and Bank of America Corp. became converts. That has heightened the stakes from the Capital One breach for the broader financial-services and cloud-computing industries.
By 2023, banks globally are forecast to spend more than $53 billion on public cloud infrastructure and data services, up from $24.3 billion this year, according to market research firm International Data Corp.
The disclosure of the breach has caused a behind-the-scenes scramble at several financial institutions to understand what happened at Capital One, according to a person familiar with the discussions.
“Everyone who is migrating to the cloud is really going to look at their controls,” said Sameer Malhotra, the chief executive of TrueFort Inc., a company that provides cloud security services. However, he added, “I don’t think it’s going to change their intention to move to the cloud.”
Capital One started working with Amazon Web Services in 2014 and has since become a marquee customer. Photo: salvador rodriguez/Reuters
Although court documents indicate a Capital One error led to the breach, the alleged hacker, Paige A. Thompson, is a former employee at Amazon’s web services unit, the world’s biggest cloud-computing business. That raises questions about whether she used knowledge acquired while working at the cloud-computing giant to commit her alleged crime, said Chris Vickery director of cyber-risk research at the security firm UpGuard Inc. A lawyer representing Ms. Thompson didn’t return messages seeking comment.
An Amazon spokesman attributed the hack to a firewall issue, not a cloud-computing problem.
WSJ Newsletter

What's News

A digest of the day's most important news to watch, delivered to your inbox.
Cloud computing caught on in part because it allowed software engineers to sidestep cumbersome security restrictions and sluggish development processes that made companies’ in-house technologies clunky. But the ease and speed of opting instead to fire up a server through Amazon Web Services has led to many cloud misconfiguration problems that can leave sensitive data exposed to unauthorized access.
“It’s easy to misconfigure things and it’s easy to have catastrophic results from those misconfigurations,” Mr. Vickery said.
As the list of companies that have inadvertently exposed data on the cloud has grown, Amazon has taken steps to minimize that risk. In 2017, the company introduced a series of technologies to detect such configuration problems and make them easier to fix.
Capital One started working with AWS in 2014 and has since become a marquee customer. In 2015, Capital One Chief Information Officer Rob Alexander said “the financial services industry attracts some of the worst cybercriminals. So we worked closely with the Amazon team to develop a security model, which we believe enables us to operate more securely in the public cloud than we can even in our own data centers.”
“This type of vulnerability is not specific to the cloud,” Capital One said of the hack. “The elements of infrastructure involved are common to both cloud and on-premises data center environments.” The bank added that its use of the cloud helped it respond to the breach faster. The company learned of the incident on July 19 and notified affected customers 10 days later.
Over the years, Capital One has developed systems to prevent data from being inadvertently released to the wider internet, according to a person familiar with the company’s operations.
“Any company that has or is looking to move into the cloud must ensure that their security strategy is developed alongside of that transformation,” said Vincent Liu, a partner with the security-consulting firm Bishop Fox.
Mr. Liu, whose company assesses security vulnerabilities on corporate networks, says that while configuration problems happen in corporate data centers as well, he often finds that “basic cyber hygiene gets thrown out the window” as companies move to new technologies such as the cloud.
The financial stakes for companies to safeguard customer information are quickly rising. Credit-reporting company Equifax Inc. struck a $700 million settlement this month with state and federal authorities concerning its 2017 data breach that exposed information on some 150 million Americans. In Britain, Marriott International Inc. faces a potential £99.2 million ($102.5 million) fine over a data breach. The same U.K. regulator this month also proposed a record £183.4 million fine following a hack at British Airways last year.
Capital One said it expected to spend up to $150 million to cover breach-related costs, largely for issues such as notifying customers and paying for credit monitoring. The bank didn’t discuss potential fines.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
Copyright ©2019 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
Appeared in the July 31, 2019, print edition as 'Hack Casts a Shadow on Cloud Security.'

Five (5) things you should do immediately if you suspect you were affected by issues like the Capital One data breach





First American Financial Corp expose 885 million sensitive financial records online  |  View online

LifeLock Logo


Capital One announces up to 100 million in U.S. affected

Hero TOP

IF you're like, me w avg./11 DC/CCards you need to read this...

What happened at Capital One?


On July 29, 2019, Capital One Financial Corporation announced that they suffered a data security incident in March of this year. An unauthorized individual was able to access the sensitive personal data contained in applications for credit products from 2005 to 2019, which could affect approximately 100 million individuals in the U.S.



The personal information that was accessed included:
  • Full names
  • Physical address
  • Phone numbers
  • Dates of birth
  • Email addresses
  • Self-reported income
For some customers, additional information stolen may have included customer status data such as credit scores, credit limits, balances, payment history, and fragments of transaction data. For a small portion of applicants, about 140,000 Social Security numbers and 80,000 linked bank account numbers were exposed.



What does this mean?

Make sure you are getting everything your LifeLock membership has to offer.  If you haven't already, log in to your Member Portal and complete your profile to ensure that LifeLock is monitoring your personal information, including any email addresses you use regularly, financial accounts, and more.

Due to this event, we may be experiencing high call volume and don't want you to be inconvenienced with wait times. If we detect your personal information being used within our network, we'll send you an alert.

If you would like to help protect your family members' identities, log in to your member portal here and use promo code BREACHFAMILY for 15% off the first year* for new members.


MANAGE MY LIFELOCK ACCOUNT



Thanks for being a LifeLock member. Rest assured, John, we have your back.



Facebook
Twitter
Linkedin
Google Plus
You Tube





  
LifeLock Logo

New Credit Report
Activity Detected





Hi,
This email is from the LifeLock Member Services team. We've identified a new event on your credit report.

Please review this activity in your LifeLock account. If you recognize the activity, there's no problem. Review Activity ASAP!

REVIEW THIS ACTIVITY

Have questions about this Credit Alert? Learn more at our Member Support Center.

Sincerely,

Jon
The Team at LifeLock Member Services


---------- Forwarded message ---------
From: LifeLock Member Services <member.services@lifelock.com>
Date: Wed, Jul 31, 2019, 8:47 AM
Subject: Credit Report Event: Please Review
To: <joaoa.dsilva2019@gmail.com>

FYI: You may receive additional alerts about this activity if it is reported to the other two national credit bureaus, or shows on another LifeLock data source.

1-800-607-5619   |   MEMBER SUPPORT CENTER
No one can prevent all cybercrime or all identity theft.
†LifeLock does not monitor all transactions at all businesses.

You received this mandatory email service announcement to update you about important changes to your LifeLock account.

Copyright © 2019 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the LockMan Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Other names may be trademarks of their respective owners.

Privacy Policy | Terms and Conditions

60 East Rio Salado Parkway, Suite 1000, Tempe, AZ 85281


  


---------- Forwarded message ---------
From: LifeLock <lifelock@secure.norton.com>

Date: Tue, Jul 30, 2019, 7:59 PM

Subject: [DATA BREACH] Capital One announces up to 100 million in U.S.

could be affected

To: <joaoa.dsilva2019@gmail.com>

No one can prevent all identity theft or cybercrime.

LifeLock does not monitor all transactions at all businesses.

*Important Subscription, Pricing and Offer Details:
The price quoted today may include an introductory offer. After that, your membership will automatically renew and be billed at the applicable monthly or annual renewal price found here. Special offer(s) may expire at any time at Symantec's discretion.
You can cancel your membership here, or by contacting Member Services & Support at 844-488-4540. Please visit LifeLock.com and refer to the Legal Information section for our Refund Policy.
Your subscription may include product, service and /or protection updates and features may be added, modified or removed subject to the acceptance of the License Agreement.
View our Privacy Policy at LifeLock.com/privacy
View our Terms and Conditions at LifeLock.com/terms
If you wish to change your email preferences, please unsubscribe

Copyright © 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, LifeLock, the LockMan Logo, are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

LifeLock | 60 East Rio Salado Parkway | Suite 1000 | Tempe, AZ 85281

EmailID: CRM_EMAIL_US_BLST_ACT_LL_EXPOSURE_2019_07_ADDFAMILY_CAPITALONE

1 day ago - 5 things you should do immediately if you suspect you were affected by the Capital ... Capital One announced a massive data breach on Monday, July 29, ... like Credit Karma, which will send you alert emails about any recent activity ... quickly since credit card companies know about the problem, he says.
Missing: Five

Top stories

More for Five (5) things you should do immediately if you suspect you were affected by issues like the Capital One data breach