Kelser Offers Business Takeaways from Capital One Breach in Washington Post and More
Less than 12 hours after the massive Capital One data breach was announced on a Monday night, Kelser CTO Jonathan Stone was on the phone with a reporter from The Washington Post helping break down the role of cloud storage in the story. In the days that followed, Kelser experts were on all four local Connecticut TV networks to provide perspective on this breach.
We were thrilled to have the chance to share our expertise in the media because the Capital One breach is unusual in many ways and slightly complicated from a technical standpoint. Here’s a roundup of lessons businesses can learn from this breach.
If You Don’t Need It, Delete It
As Jon told the Washington Post, “The more [data] you have laying around, the more chance you have of something bad happening with it.”
The Capital One breach affected over 100 million people. The impact might have been smaller if the data stolen didn’t go as far back as 2005. This came up in Jon’s interview on FOX 61 the morning after the breach was announced. Jon asked, “Was it necessary to keep all of that for all that time?”
“If less data was kept, there could have been less of an exposure,” Jon said. Bingo. Hackers can’t steal what no longer exists. To their credit, Capital One did encrypt a lot of their data, which limited the Social Security Numbers exposed to 140,000.
Have a Data Breach Plan in Place
Compared to other breaches of this size, (cough, Equifax, cough), Capital One has handled their response very well. As Kelser President Jim Parise pointed out on WFSB Channel 3, it’s clear that Capital One had a plan in place to guide them in a situation like this.
As far as we can tell, Capital One immediately began taking steps to address the breach once it was brought to their attention. Within a few months, they seem to have:
- Verified the vulnerability through testing
- Tracked precisely what data was stolen (which makes it easy for consumers to figure out if they were affected)
- Cooperated with law enforcement, leading to an arrest
- Went public with the breach as soon as it would no longer hinder the investigation
Rather than sitting on the breach for a long period of time, Capital One acted quickly and took an apologetic tone from the outset. While the breach still should have been avoided, they set an example for how to respond once a breach has occurred.
The Cloud Isn’t at Fault Here, Capital One Is
This breach has raised some questions about cloud security, but the truth is that the cloud’s security was sound. A firewall owned by Capital One was misconfigured, allowing the hacker to access their data in the cloud. As Kelser pointed out on WTNH News 8’s Good Morning Connecticut, the breach was enabled by a physical component.
There’s nothing a cloud provider could have done to prevent this breach. However, a routine vulnerability assessment should pick up something like an incorrectly configured firewall. At Kelser, this is the sort of thing we always monitor for our Defend Forward cybersecurity clients--it's even something we do at no cost for companies that aren't our clients yet but are interested in getting an accurate assessment of their cybersecurity picture and potential weaknesses.
Most cyberattacks involve someone being tricked into letting hackers in by clicking on a phishing email or opening a malicious attachment. It's rare that something so cut and dry and easily detectible like this would lead to a breach on this scale. The idea that a company like Capital One was not conducting vulnerability assessments is unthinkable. Capital One (and the individuals whose data was stolen) was incredibly lucky that the hacker was foolish enough to brag about her exploits and that they received a tip. Since they were apparently not monitoring their security systems closely, who knows when they would have found the breach on their own.
Minimize Business Use of Social Security Number
While encryption did protect the majority of Social Security Numbers compromised in the breach, the SSNs that were exposed belonged to people who had applied for business credit cards. Owners of small businesses should apply for an Employer ID Number or EIN even if they have no employees. That way, they won't have to provide their social security number as often, such as when submitting W9 paperwork.
Without a social security number, it’s still possible for hackers to use data such as addresses and phone numbers to commit fraud, but it’s more difficult. Jon alluded to the fact that hackers can sometimes combine info from a data breach with mail fraud in a live interview with NBC Connecticut’s Kevin Nathan.
At this point, Capital One has said they will contact people who were affected by the breach. Credit monitoring, or even freezing credit, is never a bad idea.