Lessons Learned from the Capital One Data Breach (Part I of III)
Deepak Chopra, one of my favorite “thinkers” (if that is a word) reminds us that there is no such thing as a coincidence – there is what he terms a “synchronicity of the universe.” (See here and here for some additional explanation).
Not to say, I told you so, but around the same time that the Capital One data breach occurred, I was reminding clients that nearly half of all significant data breaches or cyber-incidents occur because of internal actors. Internal actors can act with intent or negligence and cause devastating harm – e.g. clicking on a phishing email, deliberately stealing important data or failing to secure a person’s computer. Because of this basic fact, compliance should play a significant role in mitigating cyber and data breach risks – compliance officers are good at assessing a risk, designing controls to mitigate the risk, and then measuring the performance of the compliance program.
Capital One suffered a serious data breach not because of some hooded cyber-junky sitting in Eastern Europe or some sophisticated electronic attack – no, Capital One suffered a data breach because of one bad actor, Paige Thompson.
On July 29, 2019, FBI agents arrested Paige Thompson for downloading nearly 30 GB of 100 million Capital One Financial Corporation credit applications from an Amazon cloud data server. Capital One learned about the theft from a July 17, 2019 email noting that some of the leaked data was being stored for public view on the software development platform Github. The account owner was a user “Netcrave,” which included Paige Thompson’s resume. According to the FBI, Thompson also used a public meetup group where she invited others to join a Slack channel.
For compliance and cyber officials, the Capital One underscores the risks that companies face when relying on third-party vendors, in this case Amazon, for its data security needs. Most companies face significant risks from its third-party vendors and are struggling to ensure that cyber risks are adequately mitigated.
Businesses that outsource to third parties where such operations are integrated into business operations face extraordinary cyber threats. Vendor risk management programs for cyber threats continue to plague corporate risk managers. If given truth serum, most companies would concede that their supply chain is at significant risk of attack.
The Capital One case reminds us of the importance of managing these risks, especially when it comes to cloud computing services.
Litigation between a vendor and a company can easily occur if there are questions as to the responsibility for a cyber-attack. In the Capital One case, Amazon has denied any liability for the cyber-attack, claiming that its cloud infrastructure played no role in the vulnerability. Instead, Amazon claims that Capital One’s web application ws misconfigured. In the end, the liability issue may turn on the specific contractual provisions between Capital One and Amazon.
One interesting issue is that the perpetrator, Paige Thompson worked previously for Amazon. She is suspected of stealing data from other Amazon customers. Her course of theft underscores a real risk – cloud computing services provide services to multiple customers and increase the impact of breach. Thompson’s course of conduct may create Amazon liability for the Capital One hack.