Law enforcement may have found the perpetrator quickly.
But the theft of personal data concerning 106 million Capital One customers renewed deep concerns about the big banks’’ ability to protect information and the persistence of what Deutsche Bank’s CEO once called “antiquated and inadequate technology.”
The extent of the damage from Capital One’s breach remains unclear. According to The Wall Street Journal, investigators were looking into whether 33-year-old Paige Thompson, whom they charged with the breach, also may have collected personal information from at least two other organizations.
Republican lawmakers from the House of Representatives Oversight Committee have asked Capital One and Amazon to submit briefings by August 15. New York State Attorney General Letitia James announced Tuesday that her office would investigate the breach. “We cannot allow hacks of this nature to become everyday occurrences,” James said.
The episode highlighted the continued cybersecurity vulnerabilities of large financial institutions and the lack of talent to address growing cybersecurity challenges facing large organizations. Within hours, Capital One posted several high-profile tech job openings, including director of cybersecurity operations. In a statement, Capital One CEO Richard Fairbank said he was “deeply sorry for what has happened” and “committed to making it right.”
And it wasn’t just Capital One. UniCredit SpA, Italy’s largest commercial bank in assets, said they were investigating whether they had suffered data breaches tied to the same Amazon cloud servers that Thompson, also known by her online moniker “erratic,” cracked in March and April this year. Michigan State University was also jeopardized. Thompson mentioned the three organizations as well as the Ford Motor Co. and Michigan Department of Transportation in online postings. Ford and the Michigan agency said they were also investigating potential data thefts.
Deutsche Bank has also struggled to keep up with the digital revolution, as the lender was forced to slash spending amid its restructuring and latest round of layoffs. It plans to reduce tech spending to $3.2 billion in 2022 from a peak of $4.6 billion this year, Bloomberg reported earlier this month.
Last year, Marriott International said that hackers had stolen personal data of more than 500 million guests via a hole in its Starwood reservation system. A 2017 breach of credit monitoring company Equifax exposed the information of nearly 150 million consumers.
Capital One tried to reassure customers via its web site that their information had not been used for fraud and outlined measures the company is taking to prevent scams. This came even as a Colorado woman reported receiving a call that her Capital One account had been frozen although she is not a card holder.
The company also said that it was looking to hire technology talent. A search of the company’s employment pages with the keywords cyber security led to at least 15 positions.
The breach may offer opportunities for fintech startups that focus on cybersecurity issues. Cloud storage systems provide speed and efficiency at low cost, but Thompson may have exposed a weakness: namely that a hacker who surmounts security measures for one customer may use similar methods to access other organizations’ information.
Data breaches related to cloud storage have been taking place more frequently as more companies rely on these services, the technical director of the Online Trust Alliance Initiative, a research and educational group, told the Houston Chronicle. Jeff Wilbur said that companies should be testing for security weaknesses.
An Unidentified Tipster
In a complaint filed Monday in Seattle Federal Court, the Federal Bureau of Investigation said that Thompson stole customer data from Capital One credit card applications and other documents stored on the Amazon server. The data included social security numbers, addresses and associated bank accounts.
Capital One learned about the breach from an unidentified tipster, who noticed a suspicious page containing what appeared to be Capital One data on the hosting site Github, and then notified law enforcement.
“Capital One quickly alerted law enforcement to the data theft—allowing the FBI to trace the intrusion,” U.S. Attorney Brian Moran said on the U.S. Department of Justice website.
What has made the case unusual is that Thompson didn’t mask her actions or appear to have sold the data, as is typical with mass breaches.
Karma Takeaway: The Capital One breach highlighted the big banks’ ongoing weakness in protecting customer data, but it is also revealing opportunities for fintech startups.