The recent Capital One data breach highlights one more element of IT security that organizations must be more vigilant about – employees and contractors who are entrusted with access to critical business systems and applications. While these people need access to perform their jobs, there are few controls in place to prevent them from exfiltrating data for nefarious purposes.
In the case of Capital One, the alleged hacker, Paige A. Thompson, got access to the personal information of over 100 million consumers and small businesses in the U.S. and 6 million in Canada who had applied for credit from 2005 to 2019. She then boasted about the hack on social media, which led to her arrest by the FBI. She is charged with computer fraud and abuse, and faces up to five years in prison and a $250,000 fine if convicted.
Thompson was a former employee at Amazon’s web services unit, the world’s largest cloud computing business. This is where Capital One stored its data and applications. After departing Amazon in 2016, Thompson exploited a security flaw she found in one of the bank’s applications. This is what enabled her to steal the trove of customer records between March and July of this year.
The lesson here is that companies not only have to contend with security vulnerabilities in their own business applications and be more careful about who they hire, but must now inquire about the third-party employees and contractors brought in by the cloud providers to manage their IT infrastructure. There may be two or three layers of vetting that must occur at different service providers. If one of them fails to do its job, it can have disastrous consequences that ripple through a good portion of a cloud provider’s customer base.
Thompson held several jobs before joining Amazon, none lasting more than a year. That alone should have been a red flag. She also had a track record of odd behavior on social media, but evidently Amazon’s vetting process didn’t pick up on it. Further research would have revealed drug use and mental problems.
Capital One will spend up to $150 million related to the breach, mostly for notifying customers and paying for credit monitoring. This doesn’t include payment of potential fines for failing to take adequate precautions to protect customer data. The $700 million settlement forced on Equifax for its 2017 data breach and Europe’s $124 million fine imposed on Marriott for its 2018 data breach have already put business executives on notice that careless handling of sensitive data will no longer be tolerated. If previous trends hold true, Capital One should expect a significant hit to its bottom line.
Will hacks of this nature become routine occurrences? There is good reason to believe this is already the new normal. Hundreds of corporations may still not know they have suffered a serious data breach or that former employees and contractors may have left back doors in their systems for future exploitation.
Given that the human element will always be the weak link in the security chain – negating huge corporate investments in manpower, processes and procedures – personal background checks on IT professionals are long overdue as a standard HR policy. This is an essential step for finally getting a grip on this multifaceted and seemingly intractable problem.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.