What Corporations Should Learn From Capital One

Information Security encompasses several things. App Sec. Cyber Sec. Coding. DevOps. Anything that involves securing data and information. In the past, we’ve discussed how there’s burnout in Info Sec. A large contributing factor to that burnout is executives and higher ups not listening to their employees about security measures that need to be in place, or possible weaknesses that need to be fixed. Execs are so concerned with revenue and profit margin, that they want to get all of the latest features out as quickly as possible. They promote dirty coding, which leads to easy access for hackers. Capital One is a prime example of what happens when executives don’t take action on known security issues.

In mid-March to April of 2019, Capital One suffered a breach. The breach was not discovered until July, when the company received a tip that its customers information was posted on a public GitHub page. According to The Verge, “In a scathing report on its investigation into the breach, the Office of the Comptroller of Currency, part of the US Treasury, said Capital One was aware its security practices were woefully insufficient, and that the company’s board of directors “failed to take effective actions to hold management accountable.””

Now, there are two major problems with the entire situation. First, Capital One neglected a known security problem. They likely didn’t want to incur the additional cost or delay a feature, so execs forced coders to do things improperly. Most coders actually hate to code that way, which is part of the reason there’s burnout in Info Sec as well. Second, the breach happened in the spring and wasn’t found until the summer. While a common occurrence, this points to improper monitoring and alerting on crucial systems. Most companies don’t realize they’ve been breached until months later, which why hackers continue to do what they do and get away with it. Setting up alerts and protections along with knowing what is normal play key roles in detecting an attack.

In Capital One’s case, the issue was improper security protocols when migrating to a public cloud. A former Amazon employee exploited the weakness and shared the private information of over 100 million Capital One customers with the world. She has since been indicted and is awaiting trial. Not all companies are so lucky as to track down their perpetrator, and any company smaller than a multi-million-dollar corporation is going to suffer a great deal from a breach. They’ll suffer in legal fees, lost revenue, loss of trust, loss of customers, payouts for victims and more.

There are rising numbers of hacking happening in social media today. Hackers will use that information to gain access to other areas in people’s lives. For example, the YouTube channel hack made waves with Apple exec Jon Prosser’s channel was taken over. The attack bypassed his 2FA information, potentially with a SIM swap, and he no longer has access to that channel. With the information gained in that access, a hacker could attempt to target Apple itself.

This is why we say that people are easier to hack than machines, why we harp on using unique and strong passwords for each site. Use a password manager if needed. Always use MFA when you can. Hackers don’t care who you are, they don’t care what information they get. They will use it to further their endeavors into bigger and more lucrative practices.

What needs to happen now is that all corporations, no matter the size, need to learn from the mistakes of other Businesses. Capital One is being fined $80 million for their negligence. There aren’t too many businesses that could take that kind of a fine and still function. Because hackers attack indiscriminately, all businesses, no matter the size, need to have appropriate cybersecurity and information security measures in place.

Execs need to listen to the people they hired for security, slow down on releasing a feature if it’s not ready. Let your coders to their job correctly. Let App Sec do their job correctly. Let DevOps push code out to prod only after it’s been approved by all security teams. Quick and dirty coding causes major problems, and hackers know it. Don’t be the next Capital One. And if you really want to ensure the security of your business, hire an expert, an outside set of eyes to ensure that nothing has been missed. The extra cost incurred will be far less than any fine imposed due to negligence.

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY