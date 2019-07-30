CHARLOTTE, N.C. (WBTV) - After a hacker allegedly gained person information to more than 100 million Capital One credit applications, a local expert broke down some tips for consumers.
“Capital One has the best and brightest security staff. They have made huge investments. They are a victim of a crime,” Theresa Payton, CEO and president of Fortalice Solutions says. “It just goes to show, again, that the best defenses cannot stop the creativity and tenacity of a hacker.”
Payton says there are things consumers can do to avoid being a target:
1. Credit report alerts: Add these to all your accounts, not just Capital One, due to the data stolen they could target your other cards
2. Credit/debit card/bank and credit alerts: Set these up to alert you of all transactions on all cards, even non-Capital One cards
3. Request a temporary freeze (or a permanent one)
4. Monitor all bank statements and charges closely until we know more about this case
5. If and when you learn your data was impacted, request a new bank account and new card account to avoid future fraudulent transactions against those accounts. You don’t have to wait for fraud to happen to request this
The Capital One hacker got information, including credit scores and Social Security numbers, of about 140,000 customers, the AP reports. The bank plans to offer free credit monitoring to those impacted.
Capital One said it found out about the vulnerability in its system July 19.
“According to the FBI complaint, someone emailed the bank two days before that notifying it that leaked data had appeared on the code-hosting site GitHub, which is owned by Microsoft,” the AP reports.
Paige A. Thompson was charged with computer fraud and abuse in U.S. District Court in Seattle.
“In many of the incident response cases I have worked, often companies only learn from the outside they have been hacked,” Payton says. “In Capital One’s case no triggers, no alerts, no security software alarms told them (as far as we know) that a hack was happening.”
Payton says companies can do the following for protection:
1. Segment data, networks, user access controls
2. Encrypt data in motion and at rest
3. Don’t store real PII: Collect it, score the customer, discard it and just keep the results
4. Review digital shredding strategies: When you are done with data, discard it (unless you have a legal obligation to keep it)
5. Red team your systems regularly
6. Have an incident response playbook
7. Check your cloud configurations regularly
Payton says the Captial One intruder got past the company’s defenses and grabbed the data.
“We see these cloud configuration issues a lot in our incident response work and when we ethically hack or “red team” a company at their request. The hacker anonymized her tracks, the FBI says she used a virtual private network service and the anonymizing TOR browser,” Payton said. “But...as hackers do sometimes, she bragged about it and someone reported it!”
“Who else is being hacked right now that we don’t know about?" Payton asks. "I shudder when I think about how exposed we all are.”
