Tag Archives: Capital One

Feds Fine Capital One for Shoddy Cloud Security

Dial back your wayback machine to September of last year. Capital One announced a hack of their Amazon environment by an ex-Amazon employee the previous July that was possible to due an incorrect configuration of their security settings.

Fast forward to today and the feds announced an $80 million fine for bad cloud hygiene.

The feds (the OCC) fined Capital One for Failure to establish effective risk management processes” prior to migrating some of their systems to the cloud.

The OCC said that they considered the bank’s notification and remediation processes favorably in assessing the fine, meaning that the fine would likely have been larger if they hadn’t responded as well after the breach as they did.

On the other hand, they said that the bank glossed over numerous weaknesses in an internal audit.

On top of that, the OCC said that they didn’t report the flaws that they found appropriately to their Board’s audit committee. This means that internal processes were not sufficient to allow the Board to perform it’s fiduciary responsibility. Rather than blaming the Board, in this case they blamed management.

They also claim that Capital One failed to patch security vulnerabilities, violating regulations that banks must follow (GLBA).

After Capital One got caught, the bank decided this was a good time to spend some money on cybersecurity and start fixing the problems.

There is a moral here, I think.

This is a bank, so the expectations for security are high, but still …..

You could wait for a breach and the ensuing regulators and lawsuits. And fines. Or you can start looking at cyber risk management as a business problem and decide that it is probably cheaper to spend the money pre-breach. Last year Capital One said the breach could cost them $150 million. Whether this $80 million fine is in addition is not clear. Credit: The Register

Security News for the Week Ending August 16, 2019

Unencrypted Biometric Data Database Found

A database called Biostar2,  of the fingerprints and face Scans of over a million people that are used by police, defense contractors and banks was found unencrypted and exposed on the Internet.  That was bad enough.

Then the article said that the database included user names, passwords and other personal information.  Can this get worse?

Yes.  The database was writable, so a hacker could add names to it.  How could that possibly be used for bad purposes?

The story goes downhill from there.  Source: UK Computing.

 

Is Your MacBook Allowed to Fly?

15 inch MacBook Pros purchased between September 2015 and February 2 017 are now banned from airliners by the FAA, even in the cabin due to the risk of catching fire.  I am not sure how the airlines plan to deal with this ban as it is basically serial number related.  In any case, if you own one, Apple will repair it for free, so you probably should do that.  Source: PCMag.

 

Capital One Hacker Breached Many Companies

Paige Thompson, the hacker being charged in the Capital One breach, may have hacked as many as 30 companies, although the Justice Department is not saying who.  Media reports say the companies include Vodafone, Ford, Michigan State University and the Ohio Department of Transportation, among others.  I am guessing that at some point these organizations will be forced to disclose that they were breached.  Source: Techcrunch.

 

Security News for the Week Ending August 2, 2019

Capital One Breached – 100+ Million Applicants Compromised

Among the data compromised are 140,000 US social security numbers and 80,000 bank account numbers.  Also in the mix were one million Canadian social security numbers plus names, addresses, phone numbers, birth dates and incomes.

The data included applicants who applied between 2005 and 2019.  Yes, 15 years worth of applicant data, floating around in the cloud.  I ask WHY?

The hackers were inside between March and July and the breach was discovered in July.  In this case, a U.S. person was identified as the source of the hack and arrested.  She is still in jail.

The feds say a configuration error allowed her to access their data which was stored in the cloud.  See more information at The Register.

 

Florida Senator Admits He Hasn’t Read the Report on Russian Hacking of Florida’s Election Systems

After the Republican controlled Senate Intelligence Committee released the first volume of it’s report of Russian hacking of the 2016 Presidential elections, Florida Senator and at the time Florida Governor Rick Scott said on national TV that he has not read the report.  The report, which is heavily redacted, talks about Russian efforts to hack “State-2” which is widely believed to be Florida.

The report is only 67 pages;  much less if you read the redacted version, but Scott has only gotten the Cliff-Notes version from his staff.  At the time, Scott was adamant that his state was not hacked.  Florida’s other Senator, Marco Rubio, has been working hard to sound the alarm bells on the report.  Perhaps the report hit a little to close to Scott’s denials for comfort.  Source: The Tampa Bay Times.

 

Honda Exposes the Family Jewels

134 million rows of sensitive data was accidentally exposed.  Wait.  Guess.  On an unprotected elastic search database.

Information on the company’s security systems, network, technical data on workstations, IP addresses, operating systems and patches were all exposed.  Basically, these are directions for even an inexperienced hackers to attack Honda.

Honda  is being pretty quiet about this, but it is one more more case of corporate governance gone wrong.  Or missing.  Source: Silicon Republic.

 

Apple Suspends Program Of Listening to Siri Recordings

After it was reported last week that Apple had contractors listening to people’s Siri recordings, including sensitive  protected health information,  Apple announced it was suspending the program and will conduct an investigation.  Apple said they will provide an option for people to participate in the program or not, in a future software release.  Source: The Guardian.

 

On Eve of Amazon Getting Awarded $10 Billion DoD Contract, Capital One Happens

Amazon and Microsoft are locked in mortal combat over a $10 billion DoD cloud contract called Jedi.  Now the Capital One breach happens exposing information on 100 million customers and it turns out the person who is accused of doing it is a former Amazon tech employee who may have hacked other Amazon customers as well.

So Congress wants some answers – and probably so does Microsoft.  $10 billion could be hanging in the balance.

This is a message for cloud customers to ask some hard questions of their cloud vendors, even though this particular attack was helped by a configuration error. Source: Bloomberg.