Unless you have been in some remote part of the world, you know that Capital One has experienced a huge data breach. Ironically, Equifax just settled their massive data breach recently. The Capital One breach reportedly impacts one hundred million customers.
While this announcement was just made yesterday, more details are coming to light this morning. Here's the latest, according to multiple reputable news sources:
1. 100 million credit card applications for Capital One credit cards were accessed and stolen. This impacted customers in the United States. An additional 6 million customers are impacted in Canada. No other geographies have been identified at this point.
2. Social security and bank account numbers of between 80,000 and 140,000 customers were accessed and stolen.
3. It appears that these 140,000 customers are only high risk, secured credit card holders. This means credit card customers who secure their credit card with a bank account. That bank account may or may not be with Capital One. These are customers with high credit risk, thus the secured nature of the accounts.
4. The breach apparently happened in mid-July and was dealt with very quickly, which is a critical piece of information. The more quickly a breach is identified and rectified, the more contained it should be.
5. The breach was perpetrated by a sole individual, who worked for a business partner of Capital One who stored this data in the partners Cloud data centers.
6. This individual bragged about their activity in an online forum and was this activity was reported to authorities.
7. It appears from what was found online that none of the breached data may have been released beyond the one individual who stole it. Further confirmation is needed on this important point.
8. The individual exploited a weakness in data center firewall. This weakness was identified and fixed quickly once discovered.
9. Capital One's CEO quickly apologized for the incident and reviewed the steps the company has taken since this was discovered in mid-July, including close cooperation with law enforcement.
10. Capital One is saying that they will contact the customers who may be impacted by this and will offer free identity theft protection and credit monitoring.
What are some of the lessons learned from this latest breach?
1. Capital One did the right thing by engaging law enforcement immediately, closing the vulnerability and being sure they had a clear understanding of what took place before going public.
2. When Capital One went public yesterday, the message was clear, concise and did not avoid any of the tough questions. The CEO issued a direct apology, owning this event and reassuring customers as best one can in this situation.
3. Timing is everything. From the time of initial discover to public disclosure roughly two weeks had passed. This is lightning fast in the world of data breaches. Capital One should rightly be praised for how this event has been handled to date.
4. This is an example of an insider threat. While most cybersecurity discussions focus on the external threats, you can't forget about the internal threats. This includes your business partners who you outsource any part of your IT infrastructure to.
5. This is also an example that proves that every organization is at risk, no matter the size or resources applied to securing the IT infrastructure. You simply can't ignore the risks and must take reasonable steps to show you understand your risks and have taken steps to mitigate those risks.
This is where realistic cybersecurity hits home. You have to take reasonable steps to secure your infrastructure in the face of immense threats. This is not just a technical exercise. This involved proper personnel management, internal and external communication and response planning and testing. So far, Capital One has handled this breach effectively. It will be interesting to see what additional detail comes to light over the next several days. Stay tuned and if you need assistance making sure you have a realistic cybersecurity strategy for your business, please get in touch. I'm passionate about helping organizations address this critical need. Stay safe out there!