The Lesson From The Capital One Data Breach: The Cloud Is Vulnerable, And We Shouldn't Forget It.
The data breach that Capital One Financial disclosed on July 29 was undoubtedly surprising. And yet, it was also entirely predictable.
In terms of sheer scope—approximately 106 million impacted accounts over the course of 14 years—this is one of the largest data breaches in U.S. history.
When it comes to financial firms, only Equifax’s massive 2017 breach—143 million compromised consumers—and Heartland Payment Systems’ 2008 breach—134 million credit cards exposed—top it.
But the story of this hack is not the what, but the how.
It turns out, all it took for the fifth-largest credit card issuer in the U.S. to expose 140,000 Social Security numbers, 80,000 bank account numbers, and 1 million Social Insurance Numbers was for a rogue developer to infiltrate a single cloud server.
Paige A. Thompson, who has been arrested and charged in connection with the hack, is a former employee of AWS, the cloud platform from Amazon.com Inc. According to the bank, Thompson illegally accessed, copied, and downloaded nearly 30 GB of data from Capital One credit card applicants, data that was stored on an AWS server.
Though the bank said it’s unlikely Thompson sold this data on the black market, and Amazon themselves stated that their service “functioned as designed” the bottom line is that for as useful as cloud storage is, they also provide a unique risk for businesses and the customers whose information they store.
Reliance On The Cloud
Amazon is the clear leader in the cloud, but they are just one part of what was a $184 billion industry in 2018. Last quarter, AWS generated $8.4 billion in revenue. Elsewhere, IBM ’s cloud business made $5.6 billion and Microsoft Corporation’s Azure generated $7.9 billion. Alphabet Inc's Google Cloud now has an annual revenue run rate of $8 billion.
The cloud is big business. And because of the sheer number of clients between them—including the U.S. government and all the major banks—these companies essentially hold the keys to much of America’s technological infrastructure. For their part, the cloud providers have all taken steps to ensure their services are safe. But sometimes all it takes is human error. In 2017, Amazon said an employee inadvertently caused a massive AWS outage, leading to website outages across the country.
That same year, both Verizon Communications Inc and World Wrestling Entertainment, Inc. attributed breaches to improper setup of their own AWS servers.
“In general, banks don’t have storage problems, they have compliance problems. There’s a level of trust the bank must take on when implementing any cloud solution, due to the nature of the shared environment,” says Conte. “With various employees and external vendors now sharing responsibilities across the cloud, developing a multi-tier ownership environment helps to reduce the risk of unauthorized access.
The Banks’ Exposure
According to International Data Corp, banks are expected to spend more than $53 billion on cloud services by 2023. What makes the Capital One situation unique, is that it's a warning shot for the rest of the banks. If it can happen to Capital One, one of the early bank adopters of cloud technology, it can happen to anyone.
JPMorgan Chase & Co.
CEO Jamie Dimon cited cybersecurity as a threat in his April letter to investors. And according to Peter Marta, partner at cybersecurity consulting firm Hogan Lovells and former JPMorgan global head of cybersecurity, this issue “Is probably the single biggest risk facing each institution. Bigger than liquidity risk, it’s bigger than anything.”
Read the original post at Benzinga, written by Ben Israel