Capital One: From Cloud Luminary to Data Breach

The other day, we discussed how Capital One’s 2019 data breach of over 100 million customers could have been completely avoided if executives had allowed security teams to fix a known problem. What we didn’t discuss is how Capital One open-sourced their Cloud Custodian, designed specifically for them but shared on GitHub for other companies, and they still got breached.

Let’s back up a little. In 2016, Capital One was a darling luminary of cloud security and compliance. They began developing what would become Cloud Custodian in July 2015. The product takes advantage of AWS’s CloudWatch Events and Lambda. CWE allows for event monitoring in a more efficient manner than before the service was available. Lambda can, based on the event trigger in CWE, launch a set of resources for a given set of rules for a set period of time.

“Cloud Custodian is a rules engine that lets us define policies to be well-managed in AWS. You can [determine] a number infrastructure resources and every organization has a set of policies to be achieved around those resources,” Kapil Thangavelu, technical fellow and primary developer of the Cloud Custodian project told TechCrunch.

The TechCrunch article goes on to say that the ability to define policies in this way resulted in a 25% reduction in use of AWS resources. For Capital One and other companies that size, that’s a nice chunk of change. Prior to Cloud Custodian, the financial institution created scripts for each requirement with no central oversight. Cloud Custodian centralizes creation, monitoring and management of policies that previously required multiple tools.

Cloud Custodian can pinpoint the exact resources it needs at the exact time it needs them and shut those resources down when the event is over. It is also supposed to give administrators more visibility and control over their cloud infrastructure so that compliance is assured and all resources are being used.

Capital One open-sourced Cloud Custodian on a public GitHub page on 2016 to fanfare, so that other companies could benefit from the tool. It also meant that other people would help with maintenance and improvements because more devs would have their eyes on it.

While some might say that this product should have been able to detect the breach and send resources to stop it, it’s not actually a failure of the product. The product may have very well been able to stop the breach, but because the attack used a known weakness, the set rule may not have applied. Or it was circumvented. Either way, hackers’ ability to get past security measures are becoming increasingly sophisticated.

Capital One now has to pay $80 million in fines. But they also must establish a compliance committee by the end of the month. The committee will meet quarterly, beginning in October, and will be required to provide regular updates. Capital One is also ordered to create an action plan detailing steps it is taking to improve security.

In an email to The Verge, a Capital One spokesperson said in an email that controls the company put in place before last year’s incident “enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker.” Since the incident, the spokesperson added, the company has invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders.”

It appears that Capital One is learning from their mistake and will do their due diligence going forward. As stated in our original article, it is imperative that executives listen to their security teams. It is imperative that every single business has cybersecurity protocols in place. And, just as important as being proactive in preventing attacks, having the appropriate incident response plan in place is also essential. Don’t be the next victim. Be proactive. Prepare. Monitor. Know what is normal. Set alerts. Keep your business afloat by protecting every piece of sensitive and/or private information you have on hand. And then remember, the second you have everything secured hackers are finding new ways to breach, so you have to: Be proactive. Prepare. Monitor. Know what is normal. Set alerts…

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY