What We Can Learn From The Capital One Hack

You’ve probably seen the news. One of the world’s largest banks suffered a catastrophic data breach, compromising the personal and confidential information of more than 106 million people. In many cases, the hacker obtained social security numbers and banking information, which pose a great security risk to the affected account holders. Several pieces of additional information were also obtained by the hacker, such as email address, full name, birthdate, etc.

“I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

–Richard D. Fairbank, Chairman and CEO

Capital One

In this very rare case, the hacker responsible for the breach was actually apprehended by U.S. authorities quite swiftly. The arrest is the result of an investigation that started when the data from Capital One’s systems was leaked online earlier in July and reported to the company by a third party.

The implications for this kind of cyber security incident are all too real – this large U.S. financial institution’s stock dropped more than 6% in the 24 hours following the announcement of the breach. Capital One, in a gesture to salvage their reputation with customers, is now paying for credit monitoring, fraud detection and identity theft insurance to those affected by the breach. According to the Capital One press release, the company expects “the incident to generate incremental costs of approximately $100 to $150 million in 2019.” Yikes.

So What Can We Learn From Yet Another High Profile Data Breach?

Not IF, But When

Business leaders need to accept today’s reality. Your organization is going to face some sort of cyber security incident. In somewhat rare cases like the Capital One hack, a hacker will target your company specifically. At itweapons.com, we live and breathe security, so we have systems in place to stop hackers in their tracks.

All in all, we do conclude that most mid-sized companies will report at least one instance of a cybercriminal targeting their finance leaders and/or accounts payable teams with some sort of spoofing attempt. The cybercriminal’s goal is to trick the target into believing that they are a legitimate associate and to eventually get the victim to transfer money to an untraceable account.

However, the vast majority of security incidents, whether in the workplace or at home on your personal computer, are not the result of some nefarious criminal targeting you or your organization specifically. Many of these criminals are simply “playing the percentages” and contacting anyone and everyone they can via mass email blasts.

They use SPAM tactics, just like crummy marketers do. They start by putting together a giant list of email addresses that are readily available online, on the dark web, Facebook, LinkedIn and other websites. With multiple sources for emails, putting together an email list is fairly easy. And once they have a big distribution list they can easily prepare a piece of ransomware as a malicious attachment and send it off to the unwitting recipients.

Some Things to Consider Moving Forward

Configure Your Devices and Applications Carefully and Check Them Often

In the case of the Capital One breach, the vulnerability the hacker exploited was a misconfiguration of their web applications where customers input personal data to sign up for credit cards and other services. Whether due to neglect or simple human error, a configuration error led to an exposed entry point for the hacker to exploit.

This incident is a great reminder to check the privacy and security settings on your devices at home, and be sure to enable advanced security features like 2-factor authentication. As business leaders, the Capital One data breach is an alarm bell to be more proactive when it comes to managing your security posture. Be sure your IT leadership has the resources, investment and support to manage patching and upgrading your systems, regular vulnerability assessment and other proactive security measures. Small configuration errors can lead to catastrophic incidents. And the Capital One hack is the perfect example.

Safe Habits at Home and Safe Habits at Work

We live our lives and conduct our business online. We exist in a digital-first ecosystem and we all have to accept the risks that come along with that. We have to remain proactive and consistent in our security posture. It should be treated like maintaining good health. You don’t just eat a salad, have one quick jog, and then expect to be healthy. It requires an ongoing commitment.

A Couple Things You SHOULD be Reviewing Right Now

Effective Password Management is Critical

First, never use the same password for more than one online service. And never, ever use your work email address and/or password for anything personal. A very common occurrence is that when emails and passwords are leaked in a data breach, cybercriminals will take those credentials and try them in as many other services as possible.

Hackers often use automated software to rapidly test your login credentials on hundreds of website login forms. They are taking advantage of the unfortunate fact that many of us often use the same email and password combination for various services. And compromised credentials from one account would give them access to another – allowing them a higher chance of being able to steal more account information and valuable personal data.

A Proper Backup System Could Potentially Save You Thousands

Secondly, make sure you have regular data backups happening on your devices and services. All business leaders should ensure that the data on servers, PCs, and network devices are regularly backed up and tested.

The best defense against a ransomware attack is having good backups in place. That way, in the terrible event that a device or portion of your network gets locked down, you can simply restore to a recent backup. And while you may potentially lose a little bit of data, you won’t be faced with the awful decision of having to pay a ransom or lose critical pieces of your business to downtime while you scramble to recover.

There you have it. A prime example of why strong IT Security is necessary for all businesses. With a large globally established business like Capital One becoming a victim of a security breach, this goes to show that no business should neglect to develop and maintain strong security systems.

Businesses of all sizes can benefit from hiring experts in the field. Konica Minolta’s IT Services division, All Covered, has received multiple awards for the company’s industry-leading Cyber Security service offerings. Be sure to consider what All Covered can do for your business.