Application Development

Will Capital One’s Latest Data Breach Upend its Reputation as a Digital Transformation Darling?

The Capital One hack appears to be one of the largest data breaches ever to hit a financial services firm. This news begs the question: are companies doing enough to prevent future mishaps?

Hims Pawar

Aug 01, 2019

A data breach is every CEOs greatest nightmare today. This is especially true for those in the financial services industry where 35 percent of all data breaches occur. Unsurprisingly, financial services firms are targeted more often than any other sector, with breaches tripling over the past five years, according to findings from an Accenture report.

Earlier this week, Capital One—the nation’s third-largest credit card issuer—announced a massive breach to one of its servers that exposed the sensitive personal information of more than 100 million of its customers and applicants. Nearly 140,000 social security numbers and 80,000 bank account numbers were accessed, Capital One acknowledged in a statement.

Bloomberg reports that just weeks before the incident was reported, a hacker began tapping into a trove of data from Amazon’s servers the bank was using. The company described the alleged hacker (a former Amazon employee) as a “highly sophisticated individual who was able to exploit a specific configuration vulnerability in our infrastructure.”

The bombshell news comes just one week after Equifax agreed to pay at least $640 million for its own major breach in 2017, where hackers stole the personal information belonging to millions of Americans in one of the most significant data breaches in history. Capital One’s latest security mishap is now considered one of the largest data breaches ever to hit a financial services firm.

Why do these colossal breaches continue to take place? Are companies doing enough to prevent future data breaches?

Risk from Innovation and Growth

“We are now considered one of the most cloud-forward companies in the world,” Chief Executive Officer Richard Fairbank wrote in the company’s annual corporate social responsibility report just last year.

Capital One has become a poster-child for innovation in banking technology by embracing its cloud-first practices and setting ambitious goals to transform the traditional organization into a digital enterprise. For many IT organizations today, moving to the cloud like Capital One is considered the ultimate goal.

“Capital One is one of the most ‘cloud forward’ financial companies in the world,” Tom Kellermann, chief cybersecurity officer at software firm Carbon Black, told CNBC. “They should be partnering with solution providers who are intimately aware of how to keep the cloud secure.”

The company uses exclusively AWS and use its services to develop, test, build and run its most critical workloads, including its new flagship mobile-banking application, as described by Capital One CIO Rob Alexander during at Amazon’s heralded AWS Re:Invent, the industry’s most important cloud event.

According to LogicMonitor study, 83 percent of enterprise workloads will be in the cloud by 2020. In this gold rush for leasing compute and storage on service providers, business leaders often take for granted the safety and security of data, only thinking about the benefits of speed and innovation. However, nearly 66 percent of IT professionals understand that it’s actually security that’s the most significant concern in adopting an enterprise cloud computing strategy.

While Capital One’s mishap was only possible because the organization had misconfigured its Amazon server (something quite common in the IT security world), when it comes to cloud security, the onus is on the enterprise itself to protect data, not the service provider. It’s a story we continue to see, again & again, the enterprise itself misplaces, misconfigures, or misuses sensitive data and leads to a breach, rather than some kind of sophisticated hack or exploit from a cyber-criminal. This incident will put yet further scrutiny over how data is secured and how it is shifted to third parties, including cloud services such as AWS.

“The magnitude of this breach is very large,” JPMorgan Chase & Co. analysts said in a note. “While it is unclear whether this is directly related to Capital One’s transition to a cloud-based infrastructure,” there is likely to be “renewed concern going forward.”

Closing Thoughts

Sadly, this is not the first time that Capital One has suffered a breach. In 2017, the company notified customers that a former employee may have had access to personal data, including account numbers, telephone numbers, transaction history, and social security numbers, for months.

To become a leader in today’s digital economy, innovation must include data privacy and security. Enterprise leaders must take data protection seriously and design security into the workflow to keep it safe from both external and internal threats.

In the world of app development, data is used for testing and the vast majority of breaches happen when data is copied out of production for testing. With the advent of the GDPR, we’re really beginning to see impacts of what breaches are, and the most successful organizations are optimizing their digital transformation efforts by thinking security first and integrating data masking as part of application development.

Securing all software environments that protects data in both non-production and production systems can prevent software developers, testers, or any IT professional from accessing and exposing personal data in the first place.

As more and more organizations advance the use of cloud across the business, a foundational change in how data is accessed, managed, and secured across the enterprise by adopting a DataOps platform will be key to dramatically mitigating a company’s risk of a data breach.

Capital One, once a “darling” of digital transformation for its innovation in financial services, must now go about the long road to regain customers’ trust—all thanks to a breach, which in large part, was certainly avoidable. The lesson for all of us here: protect data before it moves to third parties, including the cloud, because as they say: “there is no cloud, it’s just someone else’s computer.”