You are here: Home Contents V17 N1 V17N1_Neto.html
Personal tools

A Case Study of the Capital One Data Breach: Why Didn't Compliance Requirements Help Prevent It?

 

 

Full text
View

Source
Journal of Information Systems Security
Volume 17, Number 1 (2021)
Pages 4978
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Authors
Nelson Novaes Neto — MIT Sloan School of Management, USA
Stuart Madnick — MIT Sloan School of Management and MIT School of Engineering, USA
Anchises Moraes G. de Paula — C6 Bank, Brazil
Natasha Malara Borges — C6 Bank, Brazil
Publisher
Information Institute Publishing, Washington DC, USA

 

 

Abstract

In an increasingly regulated world, with companies prioritizing a big part of their budget for cyber security protections, why have all of these protection initiatives and compliance standards not been enough to anticipate the leak of billions of data points in recent years? New data protection and privacy laws and recent cyber security regulations demonstrate a strong trend and growing concern on protecting businesses and customers from cyberattacks. The purpose of this research was to understand if compliance requirements would help prevent a major data breach incident at Capital One, one of the largest financial institutions in the U.S. This case study aims to understand the technical modus operandi of the cyberattack, map out exploited vulnerabilities, and identify the related compliance requirements that existed, based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, an agnostic security framework widely adopted by the global industry to provide cyber threat mitigation guidelines. The results of this research and the case study will help government entities, regulatory agencies, and companies to improve their cyber security controls for the protection of organizations and individuals.

 

 

Keywords

Data Breach, Cybersecurity, Cyberattack, Data Protection, Privacy Laws, Technology.

 

 

References

Abma, J. (June de 2017). How To: Server-Side Request Forgery (SSRF). Fonte: HackerOne Blog: https://www.hackerone.com/blog-How-To-Server-Side-Request-Forgery-SSRF

Andriotis, A., and Ensign, R. L. (2019, August 15). C1 Cyber Staff Raised Concerns Before Hack. Retrieved from The Wall Street Journal: https://www.wsj.com/articles/capital-one-cyber-staff-raised-concerns-before-hack-11565906781

AWS. (2018). "How to Cloud" with Capital One. Retrieved from AWS: https://aws.amazon.com/pt/solutions/case-studies/capital-one-enterprise/

AWS. (2018). Capital One on AWS. Retrieved from AWS: https://aws.amazon.com/solutions/case-studies/capital-one/

AWS. (2019, May 2017). How can I secure the files in my Amazon S3 bucket? Retrieved from AWS: https://aws.amazon.com/pt/premiumsupport/knowledge-center/secure-s3-resources/

AWS. (n.d.). AWS CloudTrail. Retrieved from AWS: https://aws.amazon.com/cloudtrail/

Brady, J. (2019, August 08). Governance in a DevOps Environment. Retrieved from Capital One: https://www.capitalone.com/tech/culture/governance-in-a-devops-environment/

Capital One - 1. (2019, September 23). Information on the Capital One Cyber Incident. Retrieved from Capital One: https://www.capitalone.com/facts2019/

Capital One - 2. (2019, February 20). 2018 Annual Report. Retrieved from Capital One: https://ir-capitalone.gcs-web.com/static-files/04c57bd9-b351-418c-9f18-ed91d4bfad23

Capital One - 3. (2019, November 1). Corporate governance guidelines. Retrieved from Capital One: https://ir-capitalone.gcs-web.com/static-files/2c9fe450-b8e9-4ab7-ab47-1a6e77e4d629

Capital One - 4. (2019, November 8). Manager - Cyber Risk Management. Retrieved from Capital One Careers: https://www.capitalonecareers.com/job/mclean/manager-cyber-controls-validation-cyber-risk-management/1732/14063087

Capital One - 5. (2019, December 16). Sr. Manager - Cybersecurity & Tech Oversight. Retrieved from Capital One Career: https://www.capitalonecareers.com/job/mclean/manager-or-sr-manager-cybersecurity-and-technology-oversight-cyber-risk-management/1732/14514806

Capital One - 6. (2019, November 26). Sr. Manager - Cybersecurity Legal Business Counsel. Retrieved from Capital One Careers: https://www.capitalonecareers.com/job/mclean/sr-manager-sr-counsel-cybersecurity-legal-business-counsel-3-positions-operations-and-intelligence-/1732/14299426

Capital One - 7. (2019, September 23). Capital One. Retrieved from Frequently Asked Questions: https://www.capitalone.com/facts2019/2/

Capital One - 8. (2019). Corporate Governance – Overview. Retrieved from Capital One - Investor Relations: http://investor.capitalone.com/corporate-governance/governance-overview

Capital One. (2020, January 7). Our Company. Retrieved from Capital One: https://www.capitalone.com/about/corporate-information/our-company/

Capital One. (n.d.). Capital One Careers. Retrieved from https://www.capitalonecareers.com

Chartered Institute of Internal Auditors. (2019, October 7). Gov of risk: 3 lines of defence. Retrieved from Chartered Institute of Internal Auditors: https://www.iia.org.uk/resources/audit-committees/governance-of-risk-three-lines-of-defence/

CloudSploit. (2019, August 02). A Technical Analysis of the Capital One Hack. Retrieved from CloudSploit Blog: https://blog.cloudsploit.com/a-technical-analysis-of-the-capital-one-hack-a9b43d7c8aea

Dellinger, A. (30 de July de 2019). Capital One Hit With Class-Action Lawsuit Following Massive Data Breach. Fonte: Forbes: https://www.forbes.com/sites/ajdellinger/2019/07
/30/capital-one-hit-with-class-action-lawsuit-following-massive-data-breach/?sh=65c
3b6f36b1a

Dimon, J. (2018). JP Morgan & Chase Annual Report 2018. Retrieved from JPMorgan Chase & Co.: https://reports.jpmorganchase.com/investor-relations/2018/ar-ceo-letters.htm?a=1

du Preez, D. (2021, January 12). Capital One closes its data centres and goes all in with AWS . Retrieved from Diginomica: https://diginomica.com/capital-one-closes-its-data-centres-and-goes-all-aws

Einstein, M. (2019, April 17). Amazing Statistics about Online Data Creation. Retrieved from Information Overload Research Group: https://iorgforum.org/case-study/some-amazing-statistics-about-online-data-creation-and-growth-rates/

Gesser, A., Forester, D., et al., e. (2019, January 15). 2019 Predictions – Top 10 Cybersecurity/Privacy Trends. Retrieved from Davis Polk Cyber Blog: https://www.dpwcyberblog.com/2019/01/2019-predictions-top-10-cybersecurity-privacy-trends-to-prepare-for-now/

Hall, A. A., and Wright, C. S. (Volume 6, 2018). Data Security: A review of major security breaches between 2014 and 2018. Federation of Business Disciplines Journal, pp. 50 - 63.

Henry, D. (2019, July 30). Capital One customer data breach rattles investors. Retrieved from Reuters: https://uk.reuters.com/article/uk-capital-one-fin-cyber-amazon-com/amazon-says-cloud-unit-aws-not-compromised-in-capital-one-hack-idUKKCN1UP1I7

Henry, D. (30 de July de 2019). Capital One Shares Fall Nearly 6% After Breach. Fonte: Reuters: https://www.reuters.com/article/us-capital-one-fin-cyber-amazon-com-idUSKCN1UP1LD

Kammel, B., Pogkas, D., et al., e. (2019, march 18). These Are the Worst Corporate Hacks of All Time. Retrieved from Bloomberg: https://www.bloomberg.com/graphics/corporate-hacks-cyber-attacks/

Krebs, B. (2019, August 02). What We Can Learn from the Capital One Hack. Retrieved from KrebsOnSecurity: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/

Miller, R. (2015, August 31). FFIEC and NIST: A Comparison of Two Prevalent New Compliance Frameworks . Retrieved from West Monroe Partners: https://blog.westmonroepartners.com/ffiec-and-nist-a-comparison-of-two-prevalent-new-compliance-frameworks/

MITRE. (2017, May 31). Command-Line Interface. Retrieved from MITRE ATT&CK: https://attack.mitre.org/techniques/T1059/

MITRE. (2017, May 31). Exfiltration Over Alternative Protocol. Retrieved from MITRE ATT&CK: https://attack.mitre.org/techniques/T1048/

MITRE. (2017, May 31). System Service Discovery. Retrieved from MITRE ATT&CK: https://attack.mitre.org/techniques/T1007/

MITRE. (2017, May 31). Valid Accounts. Retrieved from MITRE ATT&CK: https://attack.mitre.org/techniques/T1078/

MITRE. (2018, April 18). Exploit Public-Facing Application. Retrieved from MITRE ATT&CK: https://attack.mitre.org/techniques/T1190/

MITRE. (2018, January 16). Multi-hop Proxy. Retrieved from MITRE ATT&CK: https://attack.mitre.org/techniques/T1188/

Neto, N. N., Madnick, S., de Paula, A. M., and Borges, N. M. (January de 2021). Developing a Global Data Breach Database and the Challenges Encountered. Journal of Data and Information Quality.

Newman, D. (2019, July 14). Top 10 Digital Transformation Trends For 2020. Retrieved from Forbes: https://www.forbes.com/sites/danielnewman/2019/07/14/top-10-digital-transformation-trends-for-2020/

O'Donnell, L. (25 October 2019). Is AWS Liable in Capital One Breach? Fonte: threatpost: https://threatpost.com/capital-one-breach-senators-aws-investigation/149567/

Panetta, K. (2018, October 15). Top 10 Strategic Technology Trends for 2019. Retrieved from Gartner: https://www.gartner.com/smarterwithgartner/gartner-top-10-strategic-technology-trends-for-2019/

PRNewswire. (2019, July 29). Capital One Announces Data Security Incident. Retrieved from Capital One: https://www.capitalone.com/about/newsroom/capital-one-announces-data-security-incident/

Reinsel, D., Gantz, J. and Rydning, J. (2018, November). The Digitization of the World. Retrieved from Seagate: https://www.seagate.com/files/www-content/our-story/trends/files/idc-seagate-dataage-whitepaper.pdf

S&P Global. (2019, October 24). Capital One CEO (...) data breach. Retrieved from S&P Global - Market Intelligence: https://www.spglobal.com/marketintelligence/en/news-insights/latest-news-headlines/55016463

Salane, D. E. (2009, June 5). Are Large Scale Data Breaches Inevitable? Retrieved from John Jay College of Criminal Justice: http://johnjay.jjay.cuny.edu/files/centers/cybercrime_studies/D_SalaneLargeScaleData
Breaches.pdf

Sandler, R. (2019, July 29). C1 Says Hacker Breached Accounts Of 100 Mi People. Retrieved from Forbes: https://www.forbes.com/sites/rachelsandler/2019/07/29/
capital-one-says-hacker-breached-accounts-of-100-million-people-ex-amazon-employee-arrested/

TCDI. (n.d.). Info Sec Compliance: Which regulations relate to me? Retrieved from TCDI Blog: https://www.tcdi.com/information-security-compliance-which-regulations/

U.S. Attorney’s Office. (2019, August 28). Former Seattle Tech Worker (...) Computer Data Theft. Retrieved from U.S. Department of Justice: https://www.justice.gov/usao-wdwa/pr/former-seattle-tech-worker-indicted-federal-charges-wire-fraud-and-computer-data-theft

Unknown. (2017, August 17). Who Regulates Whom? Retrieved from EveryCRSReport: https://www.everycrsreport.com/reports/R44918.html

US District Court at Seattle. (2019, August 28). USA v. Paige A. Thompson Indictment. Retrieved from The U.S. Department of Justice: https://www.justice.gov/usao-wdwa/press-release/file/1198481/download

Whittaker, Z. (2019, July 29). Capital One’s breach was inevitable. Retrieved from TechCrunch: https://techcrunch.com/2019/07/29/capital-one-breach-was-inevitable/

Whittaker, Z. (2019, July 22). FTC slaps Equifax with a fine of up to $700M for 2017 data breach. Retrieved from TechCrunch: https://techcrunch.com/2019/07/22/equifax
-fine-ftc/

 

 

Open access paper.