In the latest of big data beaches, bank holding company, Capital One Financial Corporation, released a statement discussing a breach in their database. The breach has allowed an unauthorized individual to gain access to sensitive information of millions of their customers.
Capital One stocks went down by 5.73 percent in response to the incident on Tuesday. Such data breach has raised questions over the security of consumers’ data and that of the issuers.
The breach has reportedly affected more than 100 million individuals across the US and 6 million in Canada, according to Capital One’s statement. The LA Times reported on Wednesday that even those whose applications has been rejected are still vulnerable to the breach.
However, Capital One said in a statement posted on its site “importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.”
The hacker, Paige Thompson, 33, is said a former employee of Amazon Web Services Inc, reported the American press. The engineer, was able to manipulate a vulnerability in server on Amazon’s cloud service where the data was stored. Amazon, however, said that they found no evidence that their services has been compromised.
In an interview with Northeastern News website, William Robertson, an associate professor at Northeastern, said that the incident is a “clear failure to either encrypt personally identifiable information, or to protect the encryption keys used to protect that data, which is a common failure mode for cloud-hosting provider storage encryption schemes.”
In his interview Robertson re-iterated what various security entities has been explaining that “there is insufficient internal incentive to use the security technology we have.” In a recent story, published on Communicate, “only 25 percent of the business leaders across Europe, Middle East and Africa are confident in their current cyber security.” Despite the numbers, the firm explained that the issue lies internally as there is a lack of security cultures within organizations.
“The Capital One incident is the latest in a string of high-profile, high-impact data breaches. The hacker in this case, unlawfully gained access to users’ information by exploiting a misconfigured web application firewall – something that could have been prevented,” said Salam Yamout, the Internet Society’s Middle East regional director in a statement to the press.
Even though Capital One, learnt about the hack through a tip on 17th of July, the release notifying the incident was made on July 29 to pursue the hacker. The Capital One data breach has been identified to be amongst the biggest breaches, according to statistics provided by BBC reports.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Chairman and CEO in the statement published on the website. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
While in this case, the hacker was being identified immediately, the incident highlights the major issues tech companies are facing, including but not limited to their vulnerable servers. “Companies holding personal and sensitive data need to be extra vigilant. Use strong passwords and multi-factor authentication, keep software updated, be careful with email, encrypt/hash and back up your data where ransomware can’t get to it,” added Yamout in the statement.
In their statement, Capital One said that there has none of the breached information was used for fraudulent purpose but ensured they would notify those affected and provide free credit monitoring and identity protection. The bank has said that they will be continually investigating the incident.