Sunday, September 15, 2019

A Capital Offense: Capital One’s Major Breach

It was only two years ago that Equifax became synonymous with distrust when 146 million accounts were breached, leaking personal information such as social security numbers and financial records.

While Equifax is facing a $650m settlement due to this breach, they’ve gotten off relatively scot-free.  However, this doesn’t mean that most citizens don’t remember the incident, and I’m sure many are still wary of financial institutions, as they should be.

As a matter of fact, this wariness has been all but solidified this week due to Capital One, a major online bank, suffering a massive breach which is estimated to have affected 100m customers.

A Capital Offense: Capital One’s Major Breach 1

Estimating the Damage

What is the Capital One data breach?

Capital One disclosed the breach on July 29th, though they discovered the breach on the 19th.  According to Capital One, the casualties for the breach are only estimations, as we won’t know the true results until a few months have passed, just like Equifax, but these are the current estimations:
140,000 social security numbers
1 million social insurance numbers(Canada’s social security)
80,000 Capital One bank accounts numbers
100m credit card applications.

Concerning the credit card applications, Capital One says that credit card applications as early as 2005 are affected.  Right now, Capital One has a verification page to check if you have been affected by the breach.

The good news is that the mastermind behind the breach, ex-Amazon employee Paige Thompson, has already been arrested for the breach.  According to the paper trail Paige left on the Internet, it seems that she doesn’t mind getting the recognition of the hacker that’s hated by over 100m citizens.

How the Breach Occurred

There’s a point where you sit down and think to yourself, “How does such a colossal breach happen?”

Certainly there’s a legitimate reason, right?  There’s no way it’s something as simple as a bad configuration of a VPN server or a whistleblower.  

Well, Paige Thompson admitted that she was able to access the information/server remotely.  This indicates a Remote Code Exploitation(RCE), but some sources are saying that it’s not an RCE attack, but a server-side request forgery(SSRF) attack.

An SSRF attack basically requests a server to access a specific area or resource that it typically wouldn’t, the resource in question serving to benefit the attacker.  An SSRF attack is an easy, major vulnerability that any hacker would dream of finding, so it seems Thompson hit the jackpot.

However, this is only speculation.  The certain methods can’t be confirmed until either Thompson specifies or enough time goes by to analyze the break-in.

The Consequences of the Breach

When I say consequences, I’m not talking about the potential identity theft or selling of information that can occur, though I’m sure those will happen.  No, I’m talking about the social backlash and the seeds that Capital One and Equifax have planted in society.

Since the Equifax breach, more people than ever have come to the realization that their data is never truly safe.  Sure, your data can be encrypted, erased, etc., but there’s always that window, that period of time where your data is up for grabs by whoever can work their way around a computer.

And when huge banks and businesses like Equifax and Capital One allow this to happen, it sends a message that, deep down, they don’t care enough about people’s data.  How could a bank like Capital One let an SSRF happen? For that attack to happen, there needs to be a major vulnerability first, and why would one exist in the first place?

With growth comes paranoia, anxiety, fear, a variety of emotions that all culminate in the statement, “I don’t know.”

I don’t know how these companies treat my data.  I don’t know if my data is out there, ready to be sold on a dark web market.  I don’t know what to trust on the Internet.

Equifax and Capital One have sewn the seeds of distrust in today’s society, and more are realizing that they, just like everyone else, don’t know how their data is treated.  This realization is good in the long run, as it can lead to reforms and positive change, but it’s a negative feeling nonetheless.