You might have heard that Capital One customers recently had private information exposed due to a data breach. The breach affected 106 million consumers in the U.S. and Canada — anyone who had applied for a credit card with Capital One all the way back to 2005.
Could it have been prevented? And did Capital One do enough to manage the aftermath? We spoke to Hung Lee, Kasasa’s Chief Information Security Officer, about the lessons that can be taken away from this unfortunate situation.
Safeguard data by testing vulnerabilities.
When it comes to protecting data, nothing is more important than continuous testing to ensure any bugs or mistakes in code are fixed promptly. In the case of Capital One, they had the right tools in place with the Amazon Web Services (AWS) platform. But without the right systems incorporated to continuously test vulnerabilities, data was open season for hackers.
"It is still early days in the case, so there are scant technical details around the web application firewall (WAF) misconfiguration. If I had to guess, Capital One likely had a WAF rule with incorrect filter logic, hence rendering the rule useless against attacks,” says Lee. According to Lee, WAFs are meant to block attacks that intend to exploit the business and security logic of a web application. By exploiting or bypassing the business and/or security logic of a web application, attackers can then gain access to the underlying data. “In an ideal scenario, this misconfiguration should have never made it past a Change Review Committee. Even if it did, the misconfiguration should have been detected by some combination of automated vulnerability scanning and/or manual testing."
AWS and Capital One have already issued statements that the breach was not the fault of AWS, as technical security configurations within the cloud are the responsibility of individual users.
Follow data storing regulations.
Capital One’s data breach affected everyone who had applied for a credit card since 2005. A whopping 106 million consumers in total. It’s unclear why Capital One kept credit card applications for up to 14 years — a data retention policy that does not meet industry standards.
One thing we do know: if Capital One had followed industry-recommended data retention policies, the scale of the breach could have been greatly reduced.
Take accountability following a breach.
No matter what (or who) caused the breach, pointing the blame is never a good look in the eyes of consumers. In the press release and FAQ issued on their website following the breach, Capital One avoids mentioning specifics of how the breach was able to occur. However, they say that they “immediately fixed the issue and promptly began working with federal law enforcement.”
Lee says, “Accountability plays a huge role in maintaining customer confidence and trust. Equifax, for example, blamed their data breach on a lowly System Administrator who did not apply a patch for the vulnerability that was exploited. This act of throwing an individual contributor under the bus was highly frowned upon by many.”
Be honest and accurate in your statement.
When a crisis occurs, real-time communication is vital. Consumers need to know exactly what happened — as fast as possible. Capital One issued a press release on their website and pinned a link to it on their social media accounts. They acted quickly, but the wording of their statement drew criticism on social media. As Business Insider reported, Capital One’s initial statement included the following:
The contradictory language infuriated some and amused others. But it did little to provide clarity to consumers who were actually affected. It also minimized the gravity of over 200,000 consumers’ Social Security and account numbers being compromised. Capital One has since changed the language, but one look at Twitter from the day of the press release shows the damage was already done.
Proactively alert affected consumers — and offer help.
The question on everyone’s mind during a data breach is if they’ve been affected. While Capital One stated who the affected consumers were, they didn’t proactively let individuals know that their information had been compromised. Capital One stated that the 240,000 consumers whose Social Security or bank account number were compromised would receive mailed notifications. That still leaves millions of consumers who are worried about their personal information with no personal contact from Capital One. A personalized message in account holders’ online banking dashboard or a short form with fill-in questions to help someone determine how concerned they should be could have alleviated some stress.
In addition to alerts, it’s important to provide assistance for affected consumers — what Lee calls an “olive branch”. In their statement, Capital One offered two years of free credit monitoring and identity theft protection to anyone affected. However, the details around whether or not a consumer needs to set up these services themselves, and how they would go about doing so, are vague at best.
During a crisis, silence quickly erodes trust. The more proactive communication and assistance a financial institution can offer consumers, the better.