The recent hack against Capital One may be one of the biggest ever in terms of the number of customers affected as well as business impact. The breach on March 22 and 23, 2019 exposed the personal information of nearly 106 million of the bank’s customers and applicants.
The hacker gained access to personal information related to credit card applications from 2005 to early 2019 for consumers, applicants and small businesses. Capital One detected the breach on July 19. Among the personal data exposed were names, addresses, dates of birth, credit scores, transaction data, Social Security numbers and linked bank account numbers.
About 140,000 Social Security numbers and 80,000 linked bank account numbers were exposed. And for Canadian credit card customers and applicants, approximately 1 million Social Insurance Numbers. However, Capital One says no actual credit card account numbers or login credentials were revealed in the hack.
An event of this magnitude can certainly cause a lot of pain. Indeed it already has.
Since the incident was first reported in late July, a U.S. Senator has written Amazon CEO Jeff Bezos requesting details about the security of Amazon’s cloud service AWS; popular code depository Github has been sued; and the New York State attorney general office has opened an investigation. It would be surprising to not see additional repercussions. And it’s only been two weeks since the initial attack.
A hack is bad enough, but if the data for the 106 million customers impacted and did not fully encrypt all the data, then security incidents of this magnitude can result.
According to the Wall Street Journal, “In the Capital One incident, experts said the bank might have used a weak type of encryption or failed to properly store decryption keys, allowing a hacker to access data.
Capital One said in a statement this week that it uses encryption “as a standard,” but the method used by the hacker “enabled the decrypting of data.” The bank didn’t respond to questions about its encryption practices.”
GDPR fines in the future for Capital One?
Because it currently appears that all of the victims of the breach were not based in the EU, Capitol One avoid any fines stemming from GDPR, the EU regulation GPDR that came into effect in May of 2018. In this instance, they could be extremely fortunate. But the fact that some of the data collected by the bank stretched back to 2005 is indeed concerning.
Holding onto data for such a long time would absolutely be viewed as a significant violation by the EU. As this Databreach Today article pointed out, “The prevailing wisdom these days is that organizations shouldn't hold onto data that's unneeded. That is codified in Europe's General Data Protection Regulation, which says organizations should generally delete personal data when it's no longer needed for the purpose it was collected, such as if someone closes their account.”
GDPR is very real and its impact is increasingly being felt worldwide. Last month, the U.K. data protection authority the Information Commissioner’s Office levied major fines against both British Airways and Marriott International. On July 8, it fined British Airways a whopping $228 million (£183 million) for its 2018 data breach that impacted more than a half a million customers. Hotel giant Marriott International was fined $124 million (£99 million) for its breach that exposed the personal data of nearly 340 million guests.
This latest, massive breach is a good time to review some important guidelines around GDPR. It has both raised the bar for how businesses should get consent to their legal policies, and notably elevated the standards expected from the policies themselves – especially when it comes to privacy policies.
The GDPR demands that businesses focus on details more than ever before. The regulation forces business owners and webmasters to dive into the nitty gritty of their data collection practices and spell it out for users and regulators.
- What data does your organization collect?
- For what purposes do your company use that data?
- On what grounds is your organization processing data? (GDPR Article 6 lays out six possible bases for data processing – consent, legitimate interests, vital interests, legal obligation, fulfillment of a contract, and public interests.)
- Is the data shared with anyone?
- Is the data transferred outside of the EU? (If you’re an American company targeting EU citizens, your answer is already ‘yes.’ You also need to note where your servers are located and to where you may be transferring data.)
- Do you have a Data Protection Officer?
- Does your company have a European Economic Area (EEA) Representative?
The ramifications of the Capital One breach are still unfolding. More information will be coming to light in the coming days and months that will provide clues into how this occurred. The silver lining (if there really is one) is those clues will only help us improve our security practices. Here at GlobalSign, we always strive to go above and beyond the standard encryption practices. This enables us to provide our thousands of customers worldwide with greater confidence that our PKI-based certificates help them secure their data.
There are many lessons to be learned about the Capital One hack, but understanding why it took place is only the beginning. Start by exploring GlobalSign’s PKI and AEG automation pages. Then check out the Resources below.