Capitol One Data Breach

  • 30 Jul 2019 11:58 AM
    Message # 7804274
    John Styles (Administrator)

    On July 29, FBI agents arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of Capital One credit application data from a rented cloud data server. Capital One said the incident affected approximately 100 million people in the United States and six million in Canada.


  • 30 Jul 2019 11:59 AM
    Reply # 7804276 on 7804274
    John Styles (Administrator)

    That data included approximately 140,000 Social Security numbers and approximately 80,000 bank account numbers on U.S. consumers, and roughly 1 million Social Insurance Numbers (SINs) for Canadian credit card customers.


  • 31 Jul 2019 12:58 AM
    Reply # 7805103 on 7804274
    James Walters (Administrator)

    Note the root cause - CapitalOne failed to properly secure a firewall within thier AWS cloud services that made it easy to access the data.  I think the real problem is that companies like CapitalOne are moving services to quickly to the cloud without the properly training and experienced staff.  

    My question to the group is - Is it worth the cost savings of moving to hosted and cloud providers if you lack the skills and experience to properly manage, control, and protect the infrastructure from a far?  I say, No way! This is just another case to show that you need product education and hands-on professionals to manage your environment.  I'm sure the cost they estimated in savings from cloud services is now dwarfed to the cost they wil have from lawsuits and class-action cases that will surely come from this breach.

  • 31 Jul 2019 8:53 AM
    Reply # 7805432 on 7804274
    James Walters (Administrator)

    https://www.newsweek.com/amazon-capital-one-hack-data-leak-breach-paige-thompson-cybercrime-1451665

    Here we go, Amazon says it's not us, its the customer that is responsible for properly configuring the cloud services. 

    If you are moving services to the cloud you better be sure to understand the risk and how to properly configure the environment. 

     

     

Copyright 2018, International Information Systems Security Certification Consortium, Inc. (“(ISC)²), in website format and trade dress only. All Rights Reserved. (ISC)², CISSP, SSCP, CAP, ISSAP, ISSEP, ISSMP, CSSLP, and CBK are registered certification, service, and trademarks of (ISC)². Disclaimer: (ISC)²” does not own, operate, or moderate this website. All content of this site, exclusive of licensed trademarks or copyright, is the property of the designated (ISC)² Chapter organization, which is not owned, managed, or controlled by (ISC)² and operates independent of (ISC)².  

(ISC)2RVA is a 501(c)3 nonprofit organization.  EIN: 83-4655968

P.O. Box 2566, Glen Allen, VA 23058-2566

Powered by Wild Apricot Membership Software