Turns out Capital One’s massive data hack may be the tip of iceberg. Reports have emerged that other companies and institutions may also have fallen victim.
Continue Reading Below
|COF||CAPITAL ONE FINANCIAL CORP.||94.46||+0.56||+0.60%|
|VOD||VODAFONE GROUP PLC||20.06||+0.59||+3.03%|
|F||FORD MOTOR COMPANY||9.27||+0.02||+0.17%|
The slack messages of alleged hacker Paige Thompson imply that Vodafone, Ford, Michigan State University and the Ohio Department of Transportation were also hit according to reports. CyberInt, an Israeli security firm, which is assisting in assessing damages, says the list may grow due to the connected breach of the Amazon Web Services-managed cloud.
Thompson had previously worked at Amazon Web Services (AWS), the cloud computing service where the Capital One data were stored and is accused of stealing 106 million credit applications and files from a cloud server. She was arrested on Monday and charged in a criminal complaint.
Lawmakers are now demanding answers. Republicans on the House oversight and reform committee have launched an inquiry into Capital One and Amazon, in a sign of mounting political scrutiny of the companies’ cybersecurity practices. The committee is requesting a briefing within the next two weeks. In a letter addressed to Capital One’s chief executive Richard Fairbank, the committee demanded more details on the scope and nature of the breach, as well as the bank’s response, “to help us more fully understand Capital One’s recent incident and its potential to affect millions of Americans” as reported by Fox News.
Data breaches are not new but are becoming more frequent. Facebook, Quest Diagnostics, and Equifax have all been hit with highly publicized hacks in which bad actors gain access to a consumer's most sensitive details like social security numbers, insurance numbers, and personal information. According to estimates from IBM and Ponemon Institute, the average data breach in the United States costs companies around $8 million, and that dollar amount is rising.
Vice President of Security Strategy for SentinelOne, Chris Bates said there is not much a consumer can do to protect their information – it is the responsibility of the companies to properly monitor and maintain this sensitive information.
“The use of cloud services allows companies to work fast, so as you’re writing computer code it’s easy to produce misconfigurations and allow vulnerabilities for bugs,” said Bates. “You’re not designed to ensure security.”
In reviewing the affidavit for Capital One, Bates says they were compiling the data in a log, but it is unclear how closely the log was being monitored for abnormalities. These abnormalities would indicate a breach or another issue with the automated script. While Amazon Web Services quickly addressed the issue, once it was identified, it may have been too late.
“If the tech or software has a bug or a hack, routine software may not catch it. I can’t guarantee that’s what happened but we’re seeing this more and more,” said Bates
He notes there are three security defense technologies, which companies can use to prevent cyber threats.
How Companies Can Prevent Cyber Threats
- Attack Simulation, or breach simulation, run attacks in a certain environment to assess what would happen if a vulnerability were introduced
- Behavioral simulation tools should detect abnormalities in the code
- “SecDevOps” or “DevOpsSec” arms developers with cybersecurity training in order to inherently build the programs to be more secure