What we can learn from the Capital One breach

August 5, 2019 Gracie Awalt

Approximately 100 million people in the U.S. and 6 million in Canada had their personal information obtained by a software engineer who gained unauthorized access to Capital One credit card applications and customer data, according to a recent statement by Capital One.

In one of the largest data thefts from a bank in history, customers’ names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income were obtained. About 140,000 Social Security numbers of credit card customers, and about 80,000 linked bank account numbers of customers were also obtained in this incident.

The hacker, a 33-year-old Seattle-area woman named Paige A. Thompson, was arrested and charged with one count of computer fraud and abuse, The Washington Post reported. The Capital One database is hosted by Amazon Web Services, and Ms. Thompson, a former employee of Amazon Web Services, broke through a misconfigured Capital One firewall. This allowed her to communicate with the server storing the customer data.

“Capital One immediately fixed the issue and promptly began working with federal law enforcement,” the company said in a statement. “Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.”

Capital One was notified of the theft through an email tip sent on July 17, which stated that leaked information was openly present on the software development platform GitHub. The account was called “Netcrave,” which contained the resume and name of Paige A. Thompson. She also used Twitter to openly post about her hacking efforts for several months, using the screen name “erratic,” according to an article by Krebs On Security.

Along with providing services for Capital One, Amazon Web Services also provides cloud-based services for Samsung, the U.S. Department of Defense, and NASA. The company explained in a statement that Capital One’s web application was misconfigured, not Amazon’s underlying cloud-based infrastructure.

"AWS was not compromised in any way and functioned as designed," Amazon said in a statement. "As Capital One explained clearly in its disclosure, this type of vulnerability is not specific to the cloud."

Capital One is providing free credit monitoring and identity protection to everyone affected. The estimated cost of the security breach is $150 million.

 

Lessons to be learned

A firewall is defined by Cisco as “a network security device that monitors incoming and outgoing traffic and decides whether to allow or block specific traffic based on a defined set of security rules.”

In this case, the Capital One firewall was configured incorrectly, allowing the hacker to access the data stored using Amazon Web Service’s cloud storage. This incident shows the importance of understanding the protective measures put in place by your practice’s cloud service provider.

Cloud-based storage is a growing trend in health care. Health care providers use cloud storage for data collection, aggregation, analytics, and decision making. By 2020, it is estimated that 80 percent of health care data will pass through “the cloud” at some point.

Iron Mountain Inc., an enterprise information management services company, provided the “Top 10 Things to Consider About Omnibus for Cloud Storage.” Keep these suggestions in mind when choosing the cloud service provider for your practice.

 

1.  It is critically important to perform a full risk assessment before using a cloud storage provider. Cloud providers are officially considered business associates and are required to follow the same rules as the organizations they serve. The cloud service provider should have a full compliance program in place.

2. Check the provider’s audit record. Health care organizations should verify that their cloud storage providers are truly HIPAA-compliant, even if they claim to already be compliant. Review the provider’s annual HIPPA audit.

3. What type of encryption does the provider offer? Although encrypting data is not a requirement to be HIPAA compliant, it is encouraged as a strong preventative measure.

4. How will using a cloud storage provider affect your continuity of business plan? Cloud storage can make it easier to maintain continuity of business because data is stored off-premises; however, your provider should have a plan to continue to operate in the event of a large-scale disruptive event, such as a security breach similar to the Capital One breach.

5. Are you confident in the provider’s ability to prevent a security breach? Under the Omnibus rule, it is especially important to use a cloud storage provider you have confidence in when it comes to security. Business associates are directly liable for security breaches, but covered entities, like your practice, are also equally liable. 

6. What will the provider do with your data? You should insist that your cloud storage provider fully disclose in writing what they will do with the data once it is in their possession. Having the data storage policy allows you to ask questions as needed.

Previous Article
Technology-based errors and omissions in health care
Technology-based errors and omissions in health care

A practice’s technology services or products can cause errors and omissions (E&O) that could lead to claims...

Next Article
Ransomware is cyber extortion
Ransomware is cyber extortion

Ransomware is a form of cyber extortion — and a serious business risk. Also considered "electronic vandalis...

Podcast: Tech, Telemedicine, Tomorrow

LISTEN
×

Subscribe to CYBER @TMLT for more resources and cyber news.

First Name
Last Name
Are you a physician?
Are you a TMLT policyholder?
Please list your specialty or occupation. - optional
Thank you for subscribing to CYBER @TMLT
Error - something went wrong!