When it came to cybersecurity, 2019 was a turblent year for banks all over the world. One of the culprits for this was Paige Thompson (known as ‘erratic’ on several hacking forums), who managed to set alarm bells ringing in one of the world’s most powerful financial institutions.
This was Capital One, the fifth largest credit card issuer in the USA, and one of the most valuable such companies in Canada. It all happened in July, when the company became aware of the fact that the private information of 100 million users, both customers and credit card applicants, had been exposed: names, addresses, phone numbers, email addresses, dates of birth, and even incomes.
The vulnerability called into question not only the company’s reputation, but also its financial results: as of today, this breach is estimated to have cost around $150 million.
How the breach happened_
The breach has its origins in Thompson’s career. The 33 year-old programmer had worked for some time at Amazon Web Services (AWS), the multinational’s web hosting service, where Capital One hosted both its servers and its cybersecurity systems.
At one point, Paige Thompson created a piece of software to analyze all of the company’s servers, automatically searching for possible vulnerabilities that could be exploited. This is what it did, until it came across the Capital One vulnerabilities. These allowed her to access a litany of personal data and private information about customers and users. This data wasn’t just being accessed by her; they were circulating on GitHub and even on a Slack channel. In fact, the cybercriminal herself was seen on social networks bragging about having accessed all this private information.
The financial institution has stated that Thompson didn’t manage to get hold of any of the affected parties’ passwords. However, despite this, she has been charged with wire fraud, computer fraud, and financial fraud since the FBI arrested her.
Data breaches at Caja Rural_
Spain has also been hit by incidents of this kind. Towards the end of 2019, at least one bank in Castilla y León from the Caja Rural Group suffered an intense data breach, which allowed a cybersecurity expert to access a large amount of private information.
The breach had several kinds of victims: hundreds of customers, employees and former employees, and even job applicants had their personal data exposed. This included names and surnames, ID numbers, land-line and mobile numbers, home addresses, email addresses and access keys.
In fact, the bank suspended access to Ruralvía, its mobile banking app, in order to guarantee its users’ security. A public evaluation has yet to be carried out regarding the possible consequences of the breach, but the impact on the bank’s image and reputation are clear. This is especially true if we consider the fact that, as El Confidencial reports, the private data wasn’t accessed via a cyberattack; rather, it was accessible because the data was stored on systems with several vulnerabilities.
How to react to a data breach_
Any organization that is exposed to a data breach must deal with the fallout from the incident. The first step in this process is acknowledging the incident, and making it public, as the Spanish Data Protection Agency (AEPD) explains:
- Detection and identification. After becoming aware of the vulnerability, the organization must properly identify any damage caused, as well as analyzing their scope.
- Every action needs a response. A company that is exposed to a data breach, even if it has already lost some of its information, must react to ensure that the consequences are minimized.
- Wherever a company operates, it must report any data breach, take the measures set out in its jurisdiction with the diligence required, and take on any possible sanctions if there are any.
- After suffering a data breach, the company affected must change or update its cybersecurity protocols. Not only will it have to engage more proactively in the fight to avoid new vulnerabilities, but it will also have to keep an eye out for possible future repercussions that could result from the breach.
To avoid this kind of incident, every organization’s security program must pay special attention to how it processes data. The first step for this is to have full control of the sensitive data stored on each endpoint. This is possible thanks to solutions such as Cytomic Data Watch, which monitors the files on all devices, searching for personal and sensitive data, as well as allowing files to be erased from the single Cytomic console to mitigate any risk.
Personal data is still one of the most attractive assets for cybercriminals. This is why organizations’ cybersecurity priority must be to reinforce the security of their endpoints to keep it safe from possible intrusions.