Capital One fine is latest wake-up call for banks using the cloud

By Penny Crosman, American Banker
7 August 2020

It’s been more than a year since Capital One Financial said it had suffered a data breach that exposed the personal information of 106 million customers, but the lessons from the episode are as timely as ever.

The $80 million penalty assessed by the Office of the Comptroller of the Currency on Thursday against the McLean, Va., company for its security lapse highlights how serious a regulatory risk data-integrity issues are — especially those involving cloud computing.

The hack was allegedly carried out by Paige Thompson, a former software engineer at Amazon Web Services, who broke into Capital One’s servers in Amazon’s cloud through a misconfigured web application firewall. Thompson was arrested and awaits trial on charges of hacking Capital One and 30 other organizations.

Banks continue to put sensitive data in the cloud, especially as digital services have risen in popularity during the pandemic. The incident and its aftermath offer banks a watchlist of precautions that have become clearer with the passage of time, say academic and information security experts interviewed for this story.

Here are six steps banks can take to strengthen their data defenses.

Update open-source software

Thompson gained access to the Capital One data through an insecure web application firewall.

Jim Reavis, co-founder and chief executive officer of the Cloud Security Alliance, said Capital One used open source software to build its firewall to the servers.

Open source software in and of itself is not dangerous, he said. “All of corporate America uses open source software of different types and flavors,” he said.

But this firewall had a misconfiguration that the attacker used to conduct a server-side request forgery, which enabled her to obtain privileged identity credentials.

Maintaining security updates on open-source software is as important as it is on proprietary software, Reavis said.

Capital One did not immediately respond to a request for comment Friday, but a day earlier, after the OCC penalty was announced, the company said it takes data security seriously and had controls in place at the time of the breach that helped authorities make an arrest.

“In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders,” a company spokesperson said in an email to American Banker.

A combination of automation and human review can be used to check and double-check the security of software code, said Steve Rubinow, a computer science faculty member at DePaul University and former chief information officer of the New York Stock Exchange.

“In any security space, the weakest link is human because we humans make mistakes,” Rubinow said. “Even the smartest of us, the most capable of people with the best track records are capable of making mistakes.”

Restrict data access

Thompson was an insider: She had worked at AWS on the Capital One account.

Reavis said companies need to pay more attention to administrator accounts, sometimes called “God access” accounts, that give insiders carte blanche access to everything. And they should and apply dual key systems, so administrators can’t access elevated privileges on their own.

Companies ought to employ a principle of least privileges so when a credential is stolen, as in this case, they can reduce the harm caused, Reavis said.

Strengthen authentication

Capital One made some mistakes with authentication, Reavis said.

“Multifactor authentication is a great way to take a lot of different types of successful attacks and cause them to have no negative consequences,” he said.

Capital One does use multifactor authentication a lot, Reavis said. But on backend systems like this one, its use is uncommon.

“That’s changing — you’re seeing more organizations thinking of identity more holistically,” Reavis said. “They’re thinking of identity of devices, identity of applications, identity of data stores, and then extending their identity management and authentication strategies across the board.”

Have a response plan

Capital One did respond quickly and effectively to the breach, such that the hacker was caught right away and the data was rapidly secured.

In addition to a strong incident response, Capital One notified customers of the breach promptly.

“It likely reduced their fine significantly,” Reavis said.

Be ready to share incident information

Throughout the past year, Capital One has been in a court battle to keep private an investigative report it hired security firm Mandiant to write about the breach. But recently, a court required Capital One to share the report with the plaintiffs’ attorneys in a class action.

“An incident analysis or forensics type of report is going to have a lot of sensitive information that might expose additional vulnerabilities and threat vectors,” Reavis said. “I understand the sensitivity. But organizations need to be very frank about how their systems are configured and tested to make sure they’re secure in the first place and be very transparent about how incidents are handled, how the systems are governed.”

Don’t overrely on cloud providers

Mark Bower, senior vice president with the data-security company comforte AG, makes a point regulators have been making for years: Companies can’t outsource security to vendors, especially cloud vendors.

“The signal is very clear: The often-referenced shared responsibility cloud model means naught when it’s your data,” Bower said. “You are responsible and accountable, and will pay the price if gaps are exploited.”

Rubinow echoed this point.

“There have been a number of companies in the past that have so much respect for Amazon or whoever their cloud provider is that they say, if I just put my computing assets in their cloud, they will secure them for me because they’re really smart people and they do it at scale,” he said.

“I always have to remind those people that they don’t secure everything. And at the end of the day, these are your applications. This is your data. You need to be vigilant and safeguard them because no one’s going to care about them as much as you are and it’s still your responsibility.”