Large banking institutions like Capital One are among the most targeted organizations by cyber-criminals looking to profit through data theft. Banks are responsible for protecting heaps of personal information about their customers, as well as financial wealth and transactions. This collection of data is a goldmine if a cyber-criminal is able to successfully infiltrate their network and extract the valuable data.
While financial data has always been targeted, medical records are a lucrative target and worth up to 10 times more than credit card information on the black market. Given the inherent risk of possessing so much precious data, it’s vitally important for banks to stay on top of network security trends and ensure their network is always protected. Conducting periodic audits and continually testing your security systems for vulnerabilities is an excellent method for preventing infiltration by cyber-criminals.
What Was Stolen?
If an institution fails to keep their security up to date, the results can seem catastrophic and can impact the lives of potentially millions of individuals. During March 22nd and 23rd 2019, Capital One was targeted by cyber-criminals who were able to expose the data of 100 million Americans and 6 million Canadians.
The data that was stolen was primarily comprised of credit card applications of individuals and businesses that were filed between 2005 and 2019. During the application process, Capital One routinely collects personal information to determine whether to issue a credit card. Some of the information collected includes names, addresses, phone numbers, emails, DOBs, and much more.
In addition to credit card application data, the leak included some customers credit scores, credit limits, balances, and payment histories. Also included in the leak was approximately 140,000 SSNs, 80,000 bank account numbers, and the Social Insurance Numbers of 1 million Canadians. While the vast majority of SSNs and bank accounts were not exposed, the number that were is far from an insignificant amount.
How’d The Breach Occur?
When Capital One reported the incident on July 19th, the FBI quickly made an arrest of a woman named Paige Thompson, known as “erratic” among her Meetup group. The leaked data was discovered on GitHub, a platform commonly used to manage and store software development projects. After analyzing the files found on GitHub, they discovered Thompson’s account connected to the files but had to determine that it was Thompson personally who enacted the breach. The possibility existed that Thompson’s account was used as a proxy without her consent to mask the identity of the actual attacker. But upon examination of Thompson’s Meetup group, the FBI found an invitation to a Slack group chat where Thompson had posted a list of files she claimed to possess. These files were related to the Capital One leak, and the FBI arrested the suspect.
Capital One is an enormous banking institution with top-of-the-line network security tools; how was Thompson able to infiltrate their security? It all began with a misconfiguration of Capital One’s Web Application Firewall (WAF). When properly configured, the WAF filters and monitors web traffic, protects against DDoS attacks, blocks bots and automated attacks, and much more. But the WAF was not set up properly, and Thompson was able to execute three commands:
- Obtain the credentials of the WAF
- Use the account to list the names of folders where the targeted data was stored
- Extract or copy data from the folders, commands which the WAF account had permissions to execute
After reviewing Capital One’s logs, they found that their network receive connections from TOR (The Onion Router, a tool that provides anonymity while online) exit nodes and IPs related to a VPN provider. Thompson covered her tracks and attempted to remain anonymous during the breach, but made several mistakes after the fact that led to her arrest.
Why Was The Attack Successful?
The methods that Thompson employed are by no means novel strategy that revolutionizes cybercrime; she primarily relied on the mistakes of Capital One. The first and most important duty of any network security team is to ensure that their software is properly configured and up-to-date with upgrades and patches. Purchasing a highly secure security system that is subsequently misconfigured does not fulfill it’s desired purpose. Continually performing pentesting and setting up automated security scanning are excellent steps towards ensuring security integrity. If your organization is not diligent with their security, a cybercriminal who is diligent will discover it.
A precaution that Capital One did properly configure was tracking their system logs. When actions are performed on the network, they can be logged and stored. Capital One was able to identify the logs related to the breach incident and help identify the cybercriminal. Storing these logs were key in discovering the breach and identifying the attacker. They’re a useful precaution to mitigate the effects of an unauthorized leak.
What Can We Take Away From This?
Unfortunately for the individuals affected by Capital One’s mistake, there is practically nothing they can do reclaim ownership of their stolen data. The information, addresses, DOB, names, and SSNs, ranges from challenging to impossible to change and can be used to open various accounts or harass the individual with scams and phishing attacks.
To defend themselves, individuals should take reactionary steps to protect themselves. Setting a credit limit, freezing your credit, periodically checking your credit score, and implementing credit monitoring are all legitimate tactics to prevent your information from being used to damage your financial well-being. Additionally, being aware that your information may be in circulation among cybercriminal groups can sharpen your eye when watching for phishing attacks and online scams.
Maintaining a secure network is a significant undertaking that requires a high level of diligence. Attacks that are most often successful take advantage of a tiny gap in security that leads to enormous consequences. A small configuration vulnerability directly led to the exposure of over 100 million individuals data, the effects of which could be felt months, years, or possibly even decades later.
When individuals offer their personal information, they depend on the organization to protect them. That organization is responsible for their most important information and must take that seriously by testing their network and watching for any possible vulnerabilities. Data is rapidly becoming the most valuable commodity on Earth, and organizations must realize that they cannot be relaxed when it comes to protecting their customers.
Are you ready to take your network security to the next level? SecureW2 offers affordable solutions to organizations of all sizes. Click here to inquire about pricing.