The Capital One hack raises many questions regarding cybersecurity

As the alleged Capital One hacker has been indicted and may face up to 25 years in prison, several experts have stated that the breach raises a lot of questions.

The financial holdings company was breached back in March this year, resulting in 106 million customers data being compromised. However, the cyber attack was only discovered in mid-July after a GitHub user spotted another user posting about it on the site and subsequently alerted Capital One to the potential cybersecurity weakness in its digital defences. The weakness in question is reported to have been a misconfigured Capital One firewall.

The company went public about the breach on Monday July 29. At the same time the woman accused of the hack was arrested by the authorities. Paige A Thompson went by the Twitter handle erratic and allegedly compromised information about customers’ credit scores, credit limits, payments histories, contact information and social security numbers.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” Richard D. Fairbank, chairman and CEO of Capital One, said at the time. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

The cyberattack exploited a specific configuration vulnerability in Capital One’s infrastructure. The company claims to have addressed the configuration as soon as it was discovered and verified there are no other instances in its environment.

Since the news first broke in July, Thompson has also been accused of having attacked 30 other organizations too.

She has now been indicted on two accounts and may face up to 25 years in prison if found guilty.

Speaking with RegTech Analyst, Mark Sangster, vice-president and industry security strategist at eSentire, a global leader in managed detection and response, expressed disappointment with the handling of the case so far. “Employees warned multiple departments and management of known security issues and flaws,” Sangster said, pointing at reports like one in Wall Street Journal suggesting that routine cybersecurity measures were overlooked and staff members’ warnings about vulnerabilities were ignored.

He now argues that Capital One’s handling of the case raises a lot of questions. “Why was the most critical information withheld when it could help others understand how the bad actor broke in, what vulnerabilities were exploited by doing so, what defenses were broken down that allowed them to access such a significant volume of data?” Sangster wondered. “Most importantly, what will the regulators learn and enforce in terms of policy to prevent further action in the future?”

He is not the only one to ask questions. Since the breach was revealed, Democratic presidential hopeful Elizabeth Warren has criticized Fairbank in an open letter. The Massachusetts Democrat asked why the bank had failed to detect the breach for nearly four months and how it plans to prevent a breach in the future.

Moreover, the Washington Post stated that the hack raised concerns about how companies handle historical data as some of the credit applications compromised by the Capital One breach dated back to 2005. “The more stuff you have laying around, the more chance you have of something bad happening with it,” Jonathan Stone, chief technology officer for the IT consulting firm Kelser, told the publication.

Copyright © 2019 FinTech Global

Enjoying the stories?

Subscribe to our daily FinTech newsletter and get the latest industry news & research

Investors

The following investor(s) were tagged in this article.