The Financial Services Industry Just Does Not Get It

The banking and financial services industries are continuously under cyber-attack, which is becoming more sophisticated.  Some of these organisations are learning from their mistakes and the improved sophistication of the attacks but many don’t and this is an on-going problem. Now, the credit card giant CapitalOne has been found to have suffered a potentially disastrsous data breach affecting over 100m customers.
 
In just one Internet minute cyber-criminals steal around $2.9 according to the annual Evil Internet Minute report from RiskIQ.
The company has analysed and data derived from the volume of malicious activity on the Internet and they report that cyber-criminals cost the global economy $2.9 million every minute in 2018, which became a total of $1.5 trillion. 
 
Capital One Financial Corporation has admittedhat they were subjected to a cyber-attack by an outside individual who obtained over 100 million pieces of personal information relating to people who had applied for its credit card products and to Capital One credit card customers. 
 
Capital One claim to have immediately fixed the configuration vulnerability that this individual exploited and promptly began working with federal law enforcement. The US Justice Dept. hav announced that FBI has arrested the person responsible, suggesting the the breach itsef took place some time before the 19th July when Capital One first realeased the news.
 
A former Seattle technology company software engineer has been arrested on a criminal complaint charging computer fraud and abuse for an intrusion on the stored data. US Attorney Brian T. Moran. is quoted as saying: “Capital One quickly alerted law enforcement to the data theft, allowing the FBI to trace the intrusion,” said US Attorney Moran.  “I commend our law enforcement partners who are doing all they can to determine the status of the data and secure it.
 
This criminal event has affected approximately 100 million individuals in the United States and approximately 6 million in Canada. No credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised, according to Capital One.
 
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
 
Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:
 
• Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
• Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
 
No bank account numbers or Social Security numbers were compromised, other than:
 
• About 140,000 Social Security numbers of our credit card customers
• About 80,000 linked bank account numbers of our secured credit card customers
 
For Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident and the affected individuals will be notified through a variety of channels. The investigation is on-going and CapitalOne says its analysis is subject to change.
 
Almost two years after the breach at Equifax exposed the confidential financial records  of 143m US citizens and four years after the Anthem data encryption debacle allowed hackers access to 80m cutomer records, Capital One's admission comes just a month following discovery of the careless exposure of confidential data by First American .
 
It really does look like the financial services industry has learned nothing about proper data protection practice. 
 
Dept. of Justice:        RiskIQ:
 
You Might Also Read:
 
Banks Are Making It Easy For Hackers:
 
Cyber Attacks On The British Financial Sector Increasing Fast:
 
 
 
« What Is The Dark Web?
5G Networks Expand In The UK »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

UK Cyber Week Expo & Conference

UK Cyber Week Expo & Conference

Award-winning event organiser ROAR B2B announces the launch of UK Cyber Week and its inaugural event on 4 and 5 April 2023 at the Business Design Centre, London.

Oxygen Forensics

Oxygen Forensics

Oxygen Forensics offer the most advanced forensic data examination tools for mobile devices and cloud services.

Backup Technology

Backup Technology

Backup Technology is a world leader in the Online Cloud Backup, Disaster Recovery and Business Continuity market.

Security Onion Solutions

Security Onion Solutions

Security Onion Solutions is the creator and maintainer of Security Onion, a free and open platform for threat hunting, network security monitoring, and log management.

VisionWare

VisionWare

VisionWare provide consulting services and solutions in areas covering both physical and digital security.

MBL Technologies

MBL Technologies

MBL Technologies specializes in information assurance, enterprise security, privacy, and program/project management.

Tutamantic

Tutamantic

Tutamantic develops software that reduces security risks and weaknesses during the architectural and design stages.

National Accreditation Authority Hungary (NAH)

National Accreditation Authority Hungary (NAH)

NAH is the national accreditation body for Hungary. The directory of members provides details of organisations offering certification services for ISO 27001.

iProov

iProov

iProov delivers authentication and verification simply and securely, based on a genuine one-time biometric.

Red Alert Labs

Red Alert Labs

Red Alert Labs is an IoT security provider. We created an independent security lab with a disruptive business offer to solve the technical and commercial challenges in IoT.

ECOLUX

ECOLUX

ECOLUX is a professional IoT security service company committed to developing world-leading “IoT Lifecycle Security” technologies and products.

Cypress Data Defense

Cypress Data Defense

Cypress Data Defense helps clients build secure applications by providing training, best practices, and evaluating security during every stage of the Secure Application Development Lifecycle.

UTMStack

UTMStack

UTMStack is a Unified Security Management system that includes SIEM, Vulnerability Management, Network and Host IDS/IPS, Asset Discovery, Endpoint Protection and Incident Response.

Mindmajix Technologies

Mindmajix Technologies

Mindmajix is a live and interactive e-learning platform that offers professional online IT training in areas including cyber security.

Reflectiz

Reflectiz

Reflectiz empowers digital businesses to make all web applications safer by non-intrusively mitigating any website risks without a single line of code.

Theta432

Theta432

THETA432 is a cybersecurity firm that provides 24/7/365 managed prevention, detection, response, Hybrid SOC, cyber defense monitoring services with dynamically defined defense (3D™).

iSTORM

iSTORM

iStorm specialise in supporting organisations who require a range of Privacy, Security and Penetration testing related services.