"WHAT'S IN YOUR WALLET?" is the theme question asked by spokes-celebrity Jennifer Garner in commercials for Capital One. A data breach wasn't supposed to be one of the things in your wallet but since it was, the company's brand is taking a huge hit, just because of this data breach. Reviewing the details of the data breach incident offers some key insights technology leaders at other organizations can take away:
1) THIS DATA BREACH INCIDENT WAS NOT ALL BAD NEWS
A. No credit card account numbers or log-in credentials were compromised. Both are highly sought after data types on the Dark Web; therefore, NOT exposing about 100M highly sensitive data records is actually a good thing.
B. Also, over 99% of Social Security numbers in Capital One's possession were not compromised - another good thing.
C. Unfortunately, there were still around 140,000 SSNs exposed, roughly 80,000 bank account numbers, and approximately 1 million Social Insurance Numbers of Canadian credit card customers compromised.
TAKE AWAY: The breadth of the breach was not as wide as it could have been – although there are many still seriously affected by the data breach. Even though it may be an unpopular opinion, the CISO (and other I.T. Security Leaders) should be commended for making a decision to (partially) secure sensitive data in a way which reduced the number of records exposed during the data breach.
2) THE AMOUNT OF DATA EXPOSED IN THIS BREACH COULD HAVE BEEN MORE
According to the Data Breach notice from Capital One, they encrypt data as a standard. The unauthorized access also possessed the capability to decrypt the data.
TAKE AWAY: Had Capital One relied solely on encryption as a data protection method for all of their sensitive data, the data stolen could have been easily decrypted by the hacker, meaning the credit card data and log-in credentials could have been exposed. It also highlights one of the key disadvantages to securing data with encryption – theft or misuse of an encryption key.
3) TOKENIZATION ON SENSITIVE DATA WORKS.
A. The data breach notice pointed out that Capital One also deploys tokenization on selected sensitive data fields as an effective data protection method. Tokenization provided an additional data security measure - with fewer security risks than encryption. The result was less customer data exposed during the breach.
B. Social Security numbers and account numbers were tokenized, which involves the substitution of the sensitive data element with a cryptographically generated replacement. The methods used to reveal the tokenized fields are different from those used to encrypt data; therefore, the tokenized data remained protected.
TAKE AWAY: If your business is primarily using encryption instead of tokenization, you need to consider tokenization as a data protection method right now. Tokenization actively protects sensitive data, even when unauthorized access to systems and applications has been achieved as this breach incident proved.
4) LAW ENFORCEMENT WAS RESPONSIVE AND EFFECTIVE
Reviewing of the breach timeline from when the vulnerability was discovered until a suspect was apprehended shows that, when involved, law enforcement agencies are swift in responding to and catching cyber attackers.
• July 17, 2019 - configuration vulnerability was reported by an external security researcher through our Responsible Disclosure Program
• July 19, 2019 - the discovery of the incident, after an internal investigation was started, determined there was unauthorized access by an outside individual who obtained certain types of personal information
• July 29, 2019 - The FBI arrested the suspect who they believe is responsible
TAKE AWAY: Cybersecurity Law Enforcement in the U.S. is responsive and effective - sometimes they don't receive enough credit. The Capital One CEO mentioned the FBI's Seattle Field Office and Special Agent Joel Martini, amongst others, as being invaluable in responding to the breach.
5) CLOUD COMPUTING IS OFTEN AT THE CENTER OF DATA BREACHES
Although this data breach was not "pinned on" a cloud service provider, this incident still shows that data security and protection extends beyond an organization's on-premise borders. As described in the data breach incident report, "[the suspect] was able to obtain the data via a 'firewall misconfiguration' that allowed her to execute commands with a server that gave her access to data in Capital One’s storage space at a [cloud service provider]."
TAKE AWAY: System administrators and cloud administrators need to work together to identify and mitigate security vulnerabilities such as the one exploited in this incident. More importantly, the incident highlighted that tokenization-based data-centric security protects data regardless of where it is or who has it since the protection ‘travels with’ the data. Tokenization is effective whether the data resides in the cloud or on-premise.
6) CYBER INSURANCE PAYS
Capital One said the incident is expected to cost approximately $100 to $150 million in 2019, largely driven by customer notifications, credit monitoring, technology costs, and legal fees. This estimate is in line with the “Cost of a Data Breach” study, as defined by the June 2019 Ponemon Research, at $150 per record.
TAKE AWAY: Capital One said it does carry cyber insurance with a total coverage limit of $400 million (subject to a $10 million deductible and standard exclusions, etc.) so they may be largely covered if the scope of the data breach doesn’t widen. Certainly they can also expect a huge bump in their premium going forward for years to come, not to mention costly damage to their brand. Most importantly though, if tokenization had been used more pervasively, they could have potentially avoided a breach, and, at a fraction of the cost.
Capital One are still culpable for leaving some sensitive customer data in the clear and were forced into a data breach notification with real world consequences. However, Capital One did do some things right, and other organizations who also are responsible for customer data would be prudent to learn from this incident to ensure their customers’ data is very well protected.