Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security United States Government

Capital One's Breach Was Inevitable, Because We Did Nothing After Equifax (techcrunch.com) 165

An anonymous reader shares a report: Another day, another massive data breach. This time it's the financial giant and credit card issuer Capital One, which revealed on Monday a credit file breach affecting 100 million Americans and 6 million Canadians. Sound familiar? It should. Just last week, credit rating giant Equifax settled for more than $575 million over a date breach it had -- and hid from the public for several months -- two years prior. Why should we be surprised? Equifax faced zero fallout until its eventual fine. All talk, much bluster, but otherwise little action. Equifax's chief executive Richard Smith "retired" before he was fired, allowing him to keep his substantial pension packet. Lawmakers grilled the company but nothing happened.

An investigation launched by the former head of the Consumer Financial Protection Bureau, the governmental body responsible for protecting consumers from fraud, declined to pursue the company. The FTC took its sweet time to issue its fine -- which amounted to about 20% of the company's annual revenue for 2018. For one of the most damaging breaches to the U.S. population since the breach of classified vetting files at the Office of Personnel Management in 2015, Equifax got off lightly. Legislatively, nothing has changed. Equifax remains as much of a "victim" in the eyes of the law as it was before -- technically, but much to the ire of the millions affected who were forced to freeze their credit as a result.

This discussion has been archived. No new comments can be posted.

Capital One's Breach Was Inevitable, Because We Did Nothing After Equifax

Comments Filter:
  • Humanity is getting what it deserves for its complacency. I'm beyond being enraged or feeling sorry for anybody.

    I'm just stocking up on ammo, just in case.

    • by jellomizer ( 103300 ) on Tuesday July 30, 2019 @09:21AM (#59011646)

      The problem isn't complacency, it is being cheap and short sighted.
      There seems to be little effort put into long term strategies. Be it Infrastructure Investment from our government, Companies putting money into increasing their IT security, Making sure their technology and processes follow more energy efficient methods.

      Capital One will probably get a fine, that will cost less then what it will take for them to actually fix the problem, so they will do nothing, besides the bare minimum. Unless this changes, these breaches will only get worse.

      • by Archangel Michael ( 180766 ) on Tuesday July 30, 2019 @09:32AM (#59011710) Journal

        The problem isn't being Cheap or Short Sighted. Not at all. The current laws making consumers responsible for their stolen ID caused by this shit is 100% calculated and can be 100% prevented with a simple change.

        Make the people responsible for ID Theft, those that have allowed the theft of the ID, those that are issuing credit based on stolen ID, responsible for the losses. That change, would solve a great deal amount of the problem.

        Given that just about everyone has had their identity stolen at this point, the people issuing credit have to be held accountable. The info has already escaped containment. There is no putting the maladies back into Pandora's Box.

        • by Anonymous Coward

          The problem is how much 'value' a criminal gets from a stolen ID. The solution is much more oversight while granting credit. The 'easy credit' industry thrives on people being given credit cards right at the checkstand at a store. Having a few bits of personal data, like a "secret code" SSN, should never be enough to set up a credit account. The SSN was never intended to be used as that.

        • And how exactly are we supposed to determine where the identity thief got the information they're using to open credit in someone else's name?

          And how is a creditor supposed to be able to confirm that a person applying electronically, who has every possible piece of information about someone to supply, is actually that person - without going back to taking our horses and buggies to the bank to apply in person?

          The creditors and credit bureaus need to have security standards imposed on them since they can't, w

          • by Pascoea ( 968200 )

            And how is a creditor supposed to be able to confirm that a person applying electronically, who has every possible piece of information about someone to supply, is actually that person

            The problem is you don't need all that much information on someone to open a line of credit. Name, Social Security Number, Date of Birth, and address are generally enough. The problem is a large swath of that information is essentially public information at this point, and all of it is impossible or very difficult to change. This is a problem we solved decades ago, with passwords. I understand it's not a perfect solution, but it's better than the "nothing" we have today. There is no reason that access

            • The problem is you don't need all that much information on someone to open a line of credit. Name, Social Security Number, Date of Birth, and address are generally enough.

              Indeed. This is the root of the problem. Very little information is need to steal an identity and establish credit, and all of it is semi-public information.

              Until we fix this, nothing else will make much difference.

            • No need to be dramatic.

              Yes there is. The "Dramatic!!!!!!" (See what I did there?) increases emotion and that is now counted as a viable "fact" in modern discussions. You can tell they don't actually want to discuss anything by the weird strawman "without going back to taking our horses and buggies to the bank to apply in person?" Because there is no other option between now, and 1870's Horse n Buggy.

          • And how exactly are we supposed to determine where the identity thief got the information they're using to open credit in someone else's name?

            Sometimes it is quite straightforward but it doesn't really matter. If a company is maintaining a record of sensitive information about a customer and they have a breach of their security on that data then the company should be automatically and substantially liable to the individuals affected by their inadequate security. Right now they have very little legal responsibility and rarely face serious repercussions for data breaches. It should be up to them whether they want to accept the risk but the conse

          • ...without going back to taking our horses and buggies to the bank to apply in person?

            Maybe credit should only be granted face-to-face, with biometrics gathered on the new debtor when said credit is granted (and confirmed upon any subsequent credit increases/changes)? I know, I know, but before everyone screams "privacy!", a few strictly-enforced laws against use of said biometrics except as escrow should be (mostly?) sufficient. This way claims of identity theft can be handled with sufficient evidence, and the biometrics can be used to help hunt down and/or confirm the thief?

            • I suppose that would be great, if you want to massively reduce competition in lending to only those lenders where you can appear in person and make an appointment to apply for a loan. Most people have enjoyed the greatly reduced costs of borrowing that national competition has brought.

              • That can be worked around, the same way mortgage brokers do it - just have an agent act on your behalf, authorized by the lender(s) to transmit the needed biometric data, paperwork, etc.

      • What we need is a fine large enough to give every affected person $1000 and two years of credit protection services.

        And then do that instead of giving the money to the lawyers.

        • Or, giving it to government. We should be compensated for the amount of our âoecreditâ limit for 10 years + punitive damages. If the feds want to fine them as well, fine. And, do not allow the C level officers to escape nor allow the company to declare bankruptcy.

          If they canâ(TM)t pay, then substantial jail time.

      • by gweihir ( 88907 )

        Yes, very much so. Unless there is personal consequences for this, like under HIPPA, nothing will change.

      • It's not just being cheap and short sighted. That's part of it, but it's not the whole picture.

        Basically, having real, good security would eventually require two things:

        1. 1) The ability to encrypt information end-to-end in a way that cannot be intercepted.
        2. 2) Identity management such that you can potentially link online personas to real-world people.

        For the first item, the government doesn't want it because it keeps them from snooping on us (and prevents big companies from snooping, and those big companies

      • It's electing a president that absolutely gutted regulation.

      • The problem isn't complacency, it is being cheap and short sighted.

        And, as the post continues, the people responsible not facing serious consequences for such problems.

        Although a hit to the stock price -- or revenue from customers -- sometimes stings a bit. For a while.

    • "12 Weird Way to Stop Being Dumb. Number 5 will AMAZE you!"

  • by Anonymous Coward

    We're gonna do nothing after this one either. Companies holding all this data is good for the government. The government wants companies to hold data because they can subpoena it easily and can usually get it with no questions asked. The government has no intention of discouraging any kind of data collection.

    You don't bite the hand that feeds you.

  • Agile Retooling (Score:3, Interesting)

    by Anonymous Coward on Tuesday July 30, 2019 @09:20AM (#59011632)

    Was capital one transitioning to DevOps and Agile and in the process had a leaky wall of data protection standards they removed and rolled backed because it was impeding their Faster to Market paradigm shift? Not like that is happening all over the fucking place leaving customers vulnerable.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      No. I worked inside of Capital One 'Cloud Custodian' support team. The company has an extensive system for securing its data. The problem is this attack came from an insider in Amazon (at least that is what I heard on the news).

      C1 has been in AWS for 3 or 4 years already and has spent millions to secure its resources. This is a problem inside Amazon.

      • by Anonymous Coward

        No, it is a problem stemming from depending on outside services for security, one of the most basic security flaws possible. Cloud is inherently insecure because it adds more points of failure.

      • by gtall ( 79522 )

        An insider who was no longer working for Amazon. S/he seems to have observed the hole in Capital One's security whilst working there and then did the raid after s/he left. At least the linkedin profile had the perp working for Amazon and quite in 2017.

  • by Anonymous Coward

    "Diversity" strikes again!

  • Shit happens (Score:2, Insightful)

    by DarkOx ( 621550 )

    I know a thing or two about CapitalOne's operations and their use AWS. Frankly I would STILL place more faith in them to hold / protect my personal data and accounts than most of the rest of the financial industry. They are building out a solid infrastructure.

    I know everyone wants to pile on right now but I don't think its fare.

    Misconfigurations happen, and what we have here is basically an insider threat situation, which is the most difficult to defend against. This really isn't a cloud issue so to spea

    • by AmiMoJo ( 196126 )

      This could have been averted if they had spent more money on security experts and infrastructure.

      They didn't spend that extra money because there is no business case for doing so. The fallout from this will, at worst, be a small fine.

      Equifax demonstrated that. Ignore the headlines about $125 per victim. That's the maximum and the fund is capped, so if 10% of victims actually applied they would get about $2 each. If all victims got their compensation it would be $0.20 each.

      When the price of a breech is $0.20

  • What do the credit companies have to lose if their data is breached? Almost nothing, really. All the transactions are insured, so they lose no money of their own. If a couple customers leave afterwards, that really isn't of any consequence to them as there are always more customers out there eager to give them money. It is hard for them to see themselves having anything to gain by building up their security when they have quite nearly nothing at all to lose by leaving it just the way it is.
    • it's just where are you going to go? Look, I'm going to need to buy thing. That means I need a bank account and a credit card (I don't plan on using my bank account online).

      On the plus side in America you're limited by statute to how much you're on the hook for in the event of fraud on a Credit Card, and it's pretty low ($75 IIRC). Plus most companies don't bother trying to collect that $75. This seems to have been a Credit Card database, so the likelihood is Capital One really will be on the hook for t
  • It is time for investigators to follow the money. Based on past settlements I would guess my data is worth 200-300 dollars to each of these companies. At least after the lawyers and courts take their cut.

    So as a consumer your life's information is worth a few thousand dollars.

    It seems the bad guys have won. Massive data breaches occur monthly and those are only the breaches that make the news. It can take months or even years for the typical company today to detect a breach.

    The local governments hav

    • by DogDude ( 805747 )
      The credit card money comes straight out of the merchants' pockets at a rate of about 3% a year. Credit card users (they're not customers) don't care because that 3% is out of sight, out of mind. Stop using cards. Use cash.
  • FBI report (Score:5, Informative)

    by kalpol ( 714519 ) on Tuesday July 30, 2019 @09:31AM (#59011704)
    https://www.justice.gov/usao-w... [justice.gov] PDF, short but entertaining.
    • Favorite part: "Im like > ipredator > tor > s3 on all this shit"

      Gosh, how could I ever get caught? I'm so smart, I'll brag about what I did online!

      * FBI with search warrant knocks on door *

    • by AmiMoJo ( 196126 )

      Wow. She uploaded some of the stolen data to her personal Github account that she signed up for using her real name... And then blabbed about it on social media. Hey, at least she used a VPN, which unfortunately is also linked to her identity.

      Quite the faceplant.

  • by Anonymous Coward

    The Equifax hack was sloppy support and poor management. Capital One hack was an inside job at Amazon (at least that is what is being reported).

    I worked inside Capital One and the company has extensive support inside the company to protect all its resources in the cloud. They haven't been hacked by some outside source which should say a great deal about Capital One IT.

    • by gtall ( 79522 )

      Capital One still misconfigured part of their security, that's what made the perp able to pull it off. And s/he stopped working at Amazon in 2017, if the linkedin profile is correct.

  • by mschaffer ( 97223 ) on Tuesday July 30, 2019 @09:44AM (#59011778)

    This is not true at all. We gave Equifax the gentlest of hand slaps.

    The nerve of some people to say we did nothing. Harrumph.

  • Still shocked (Score:5, Interesting)

    by Lucas123 ( 935744 ) on Tuesday July 30, 2019 @09:47AM (#59011794) Homepage
    Capital One's net revenue was $28 Billion last year and their profit was $5.7 Billion; 75% of their revenue came from credit cards. Yet, somehow they were unable to correctly configure a web application firewall allowing a former software developer to hack into their database and gain access to 140,000 Social Security numbers and 80,000 linked bank account numbers, along with other personal information accessed included phone numbers and credit scores. So what is the federal government going to do about this? What penalty will Capital One incur that will amount to more than it's conference room lunch budget money. Anyone want to be nothing of substance will happen?
    • Oh, I am sure that the full weight of this will fall on a single person's head. One guess who that will be.

    • Re:Still shocked (Score:5, Informative)

      by Jason Levine ( 196982 ) on Tuesday July 30, 2019 @10:24AM (#59011994) Homepage

      A few years ago, my identity was stolen and used to open a Capital One credit card. They had my name, address, SSN, and DOB. They got my mother's maiden name wrong (red flag #1), immediately changed the address to a different state (red flag #2), and tried to get a cash advance before the card was activated (red flag #3). I only was saved by the thieves paying for rush delivery of the card and Capital One processing this BEFORE the address change - so the card came to me.

      When I got the card, I called to report the fraud. I was told first that it likely wasn't fraud, but my wife opening the account in my name without telling me. She was right beside me freaked out so I doubted this. Finally, they admitted that it was fraudulent and closed the account, but refused to give me information on the account - like the address that it was changed to. I was literally told "if we tell you that and then you go and shoot them, we'd be liable." So they had no liability on opening an account in my name, but were fearful of liability on telling me anything about the account in my name.

      They also stonewalled the police. The police were told to call a certain number, but that line always went to voicemail and nobody answered it.

      In the end, I had to freeze my credit and will need to keep it frozen for my entire life. The thieves got away and weren't punished at all. And Capital One likely just wrote the whole affair off and continued business as usual. Credit Card companies don't care about fraud or identity theft. The more credit cards that are opened, the better for them. If you get a collections agency beating down your door because of a card "you" (really an identity thief) opened, it's not something they'll be worrying about.

      • In the end, I had to freeze my credit and will need to keep it frozen for my entire life.

        Having your credit frozen isn't something to regret. It's an absolute necessity. To think otherwise is like saying, "Too bad my house was burglarized. Now I'll have to lock the doors for my entire life."

        It really isn't even that difficult to deal with anymore. Since the laws were changed (because politicians and powerful people were being affected by the breaches), you can now freeze your accounts online, get a PIN

        • Don't get me wrong. I feel a lot better with my credit frozen. It's an inconvenience to thaw it whenever I want to get a new line of credit, but it's better than having someone open a new line of credit in my name. Still, it feels like the credit agencies are foisting the inconvenience on me because they don't want to be bothered in securing their systems.

  • ID (Score:5, Insightful)

    by bugs2squash ( 1132591 ) on Tuesday July 30, 2019 @09:49AM (#59011810)

    ID should be something we can all share without fear. The loss of records about my basic ID and that of almost all ordinary people; who I am, where I live, my DOB, my taxpayer ID number should not be a problem. The problem comes when these details are used by banks and governments as if they were secrets known only to the individual.

    Surely there must be better and acceptable ways that I can verify who I am when I genuinely want to apply for financial services and there must be a way that the consequences for making a bad identification can fall solely on the financial institution when things go wrong

    what we need is a new way of doing business, because all the basic facts about us were stolen long ago anyway

    • by gtall ( 79522 )

      Saying there must be a way to prove one's identity does not make it so. This is analogous to those idiot FBI and DoJ chiefs claiming there must be a way to backdoor encryption yet still be secure. Of course they go further and then claim that we must thence have backdoors in encryption as if this was a logical deduction instead of fools pissing into the wind and claiming it is sea spray.

    • by AmiMoJo ( 196126 )

      Surely there must be better and acceptable ways that I can verify who I am

      There are, but they all cost the bank more money than they save. The technology costs money to deploy, and anything that makes the service even slightly harder to sign up for or use means lost sales.

  • by burtosis ( 1124179 ) on Tuesday July 30, 2019 @09:52AM (#59011816)
    We actually got a massive settlement!! Sure it's some sketchy free credit monitoring that should have been free anyways, but everyone can actually forgo that useless service and get up to $125 by going here [equifaxbre...lement.com] to check if you're "eligible" and filing on the "equifax" website here [equifaxbre...lement.com]. It's only 31 million dollars, so if we all take our claim, that's, lemme see here, *math noises*, a check for 10 cents each!! It's literally 5x more than anyone expected so cash in on that sweet free free gravy train fellow slashdotters for today, we eat cake...
  • by hwstar ( 35834 ) on Tuesday July 30, 2019 @10:00AM (#59011852)

    An example needs to be made....

    This continues to happen due to lack of accountability and America's two-class system.

    If anything, the penalties should be more severe for the people managing this information.

    All animals are equal, but some animals are more equal than others. -- Animal Farm

  • by DogDude ( 805747 ) on Tuesday July 30, 2019 @10:02AM (#59011862)
    Americans don't care about privacy. Americans don't care about forking over 3% of their paycheck to credit card companies. Americans are too lazy to use cash. This will continue to happen.
    • You seem confused. I don't give 3% to the credit card companies. The places I shop have to pay the credit card company and then I get it back in the form of airline miles and visa stock dividends.
      Thank you for your support.

      • by DarkOx ( 621550 )

        This ^^^ I also don't fork over %3, the idiots running around paying cash do and like you my card issuer cuts me in on about 80% of that!

        Hope the buffoons never catch on.

      • by DogDude ( 805747 )
        The places I shop have to pay the credit card company and then I get it back in the form of airline miles and visa stock dividends.

        Oh, you're right. You get all of the fees back in "rewards". Visa and Mastercard and Chase and Wells Fargo and First Data and Worldpay are all just running on fairy dust [visa.com]. You're a very smart person!
    • Yeah dude. Americans are extremely different, more than any other race/nation/arbitrary grouping of any other people on this planet. AND! They deserve all this because of the way they are.

      Perhaps you should help Americans become less lazy and join in on the feeding frenzy with the other criminals whose behaviour is CLEARLY justified by how terrible and lazy Americans are.

      Americans clearly deserve to be raped and pillaged by the immoral because Americans are already immoral by being lazy.

      You sir, are a dumba

  • The rich get richer, buy lawmakers, allowing them to get even richer and avoid penalties for cheating. Slippery slopes sometimes do happen.

  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Tuesday July 30, 2019 @10:18AM (#59011964)
    Comment removed based on user account deletion
  • "Capital One's Breach Was Inevitable, Because We Did Nothing After Equifax"

    That's bullshit. Capital One's breach was inevitable because of the profitability of a successful breach. If you make a treasure chest valuable enough and the prospective criminals needn't risk their physical well-being to make attempts at the treasure, they will keep trying and trying.

    You could fine Equifax into the ground and people will still be attacking for treasure. Don't conflate the two. They're related in subject, but there

    • by DarkOx ( 621550 )

      Right I am amazed but the foolishness of the article and much of the sentiment in the comments here.

      I asked another A/C if they have ever in their life forgot to lock all their doors an windows. I wondered if they had process for auditing the lock states like having their spouse double check each and every time.

      Yes negligence should be punishable, cover ups of breaches should be punishable; but there has to be way to say that well you practiced due care and you still got popped. Its interesting if I suggest

  • Victims include people who applied for credit over a decade ago.

    Unless those same people had a much more recent interaction with Capital One, any ancient data that needed to be stored should have been stored offline or near-offline, with alarms tripped when any of the data was pulled "online" for any legitimate purpose.

  • We need to round up these careless bastards, one and all, and introduce them to Mademoiselle Guillotine. If they're not going to take this shit seriously, then perhaps we need to impress upon them that we take it seriously.
  • Change will only come when the entire banking/financial/credit system falls flat on its face, due to so many breaches and data privacy violations. Then the ones who benefit from a lack of data protection will feel the financial pain and will act to "fix" the problem (maybe not entirely in the consumer's favour, but hopefully with some benefit to us).

  • Maybe we should just stop thinking of name+ssn+dob as being "sensitive" information. It's out. You know it's out. No, I'm not publishing mine here.. yet. But we ought to not feel weirded out by doing that, because it should be totally safe to me, for hostile strangers to have that info. And it probably already is safe, since hostile strangers do have that info.

    Thanks, Equifax. No really.. thanks, Equifax. The cat is permanently out of the bag, isn't it? Isn't it? Can we accept that yet, and acknowledge tha

  • Equifax settled for more than $575 million over a date breach it had

    Seems like breaking a date is expensive in the USA.

  • pretty much everyone credit worthy was already breached.
  • As is almost always the case, whenever I know some or all of the facts in a reported story, the reported story is inaccurate based on the writer's bias (which in this case, I generally share, when I don't know any facts.)

    To say that Equifax may not have paid for its security mistakes to the satisfaction of many may well be true. They are, after all, still an operating credit bureau, and divine retribution did not rain down from above in any sense. However, to say Nothing Happened is patently false, given
  • While the media is quick to condemn companies for breaches, they fail to realize how much time, money, and maintenance goes into cybersecurity. I am a security engineer at a large company and I can tell you firsthand that building an impenetrable security posture isn't just difficult- it's not possible. The reality is that even with every security solution and security framework in place.... you can still get hacked. Obviously, we have to be able to hold companies we interact with to a certain standard, but

  • All they have to do is strategically decentralize their services a bit and put certain elements of their software in the Cloud. Maybe if they used Open Source Software more it would help. Capital One, like Equifax, sounds pretty monolithic from the way I've heard they manage their user data.

  • like the billionaire elites are doing.

  • There is NO SUCH THING as identity theft. There is, however, a great deal of credit fraud. There is also a great deal of libel.

    That is, credit card company stupidly hands over a wad of cash to someone who used my name and SSN. Not my problem, I'm not the one that did a stupid thing. I don't have any input into their stupid policies. To them I say, "prove it was actually me of STFU and take your lumps".

    But no, they report it to credit agencies who then for some reason take the word of any idiot company over

  • It's SO easy to transparently encrypt data at rest now. All you really have to do is to turn on a few configuration settings and set up a decent key management system. If this had been done by Equifax or Capital One, any hack would have resulted in a pile of useless gobbledygook that couldn't be decrypted. The people that designed this system should be shot.
  • We need FAR more serious punishment for hackers! https://www.theguardian.com/la... [theguardian.com] or it'll never end.

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...