Capital One is the fifth largest credit card issuer in the United States and the company’s recent data breach due to its relationship with a third party vendor compromised 100 million Capital One Financial Corp credit applications. This hack occurred from the cloud data server. An article by KrebsonSecurity provided a simplified, yet technical, summary of the breach. The breach stemmed in “part from a misconfigured open-source Web Application Firewall (WAF) that Capital One was using as part of its operations hosted in the cloud.” Since it was misconfigured, the firewall was assigned permissions to provide any and all data in the files to the hacker. The method used by the hacker is called the “Server Side Request Forgery” (SSRF) attack. This is when the server is “tricked” into providing information that it should not have been able to run itself. For any organization using the cloud to store data, SSRF attacks have become the most serious and damaging threat.
The D&O Diary highlights more aspects of the data breach and the impact of using the cloud. The article notes the irony that Capital One had experienced such a large data breach since the company is “considered by many to be a digital banking pioneer and one of the more cyber-savvy companies in the world.” This is a great lesson for other organizations – even the most technologically advanced organizations struggle to mitigate cyber-risk from third parties. Vendors, partners, business associates and other third parties that interact with your organization pose a cybersecurity threat that many are not considering. There has not been enough growth in vendor risk management programs, as hacks continue to grow due to third party relationships. This articles includes some excellent risk management suggestions for boards to consider as part of their vendor risk management programs. Vendors and customers have an interconnected relationship, which poses cybersecurity threats. PwC reports that “63% of all cyber-attacks could be traced either directly or indirectly to third parties,” highlighting the vulnerability that stems from these relationships.
Many companies are moving towards using the cloud because there are many financial and operational benefits. The Capital One cloud data breach is a learning opportunity and a chance for other organizations to evaluate new and existing cloud service providers. By no means are we condemning the cloud solutions / third party solutions, rather, we urge organizations to be diligent with their use of a cloud service provider. These services certainly provide value but does not absolve the organization of all its responsibilities around storage and protection of data.
The Board of Directors at any company should have the responsibility of evaluating and maintaining the relationships with any third parties. If a breach should occur, there are two perspectives that should be considered:
- What if there is an incident at the vendor that impacts the company,
- What if there is an incident at the company that impacts the vendor.
The contract between the two entities will lead the type of communication to create a resolution and game plan. The Board of Directors should ensure that the company is exposed to any and all facts that relate to the cyberattack.
It is critical that the Board of Directors continue to evaluate cybersecurity vendor risk exposure and have this item on the top of their agenda. If Boards approach these vendor risks with intelligence and determination, the company data will be better protected and the company will be more successful. Please reach out to an advisor to have a discussion about your third party relationships and the possible cybersecurity threats these vendors could pose to your organization.