You are here
For big banks, it’s an endless fight with hackers
[NEW YORK] Large financial companies have to thwart hundreds of thousands of cyberattacks every single day. Data thieves have to get lucky only once.
Big banks like Capital One, the victim of a recent attack that captured the personal information of more than 100 million people, are a target for digital troublemakers, like individual hackers trying to impress their peers or intelligence operatives for foreign governments.
A single weak spot is all savvy hackers need. And they often find them. Already this year, there have been 3,494 successful cyberattacks against financial institutions, according to reports filed with the Treasury Department's Financial Crimes Enforcement Network.
Federal law enforcement officials said on Monday that Paige Thompson, a software engineer in Seattle who used to work for Amazon, got into Capital One's computer network through what the bank described as a "configuration vulnerability" in its security software. It was akin to leaving a window open overnight at the local bank.
Once inside, she was able to download an array of personal material from customers, including credit card applications and Social Security numbers, according to court documents.
Security experts are likely to home in on the apparently simple mistake made by software developers at Capital One, said Jack Jones, the chairman of the Fair Institute, a cybersecurity trade group. But simple mistakes are common when it comes to online security.
Every big organisation faces so many threats from so many sources that it can be hard to decide what is important. Mastercard, for example, combats some 460,000 intrusion attempts in a typical day, up 70 per cent from a year ago.
"They're lost in noise," Mr Jones said. "Nobody has this nailed down."
The Capital One episode is a reminder of the intricacy of the computer networks at large financial institutions, as well as their vulnerability. Over the past several years, companies including Equifax and Morgan Stanley have been attacked with various hacking methods.
In some cases, the hackers have taken advantage of weak passwords or sent fake emails loaded with malicious computer code that helped them get inside the network. In others, they have scanned for software that hasn't been kept up-to-date with the latest security fixes. Some hacks took hours. Others took months.
"The very best hackers in the world are hacking these banks, and it's a full-fledged arms race," said Tom Kellermann, the chief cybersecurity officer at Carbon Black, a security software maker.
It is unclear whether any sort of insider information helped Ms Thompson break into the Capital One network, as prosecutors allege. Though her online resume indicated that she had a wide range of programming skills, it did not appear that the breach of the bank's computer systems was particularly sophisticated.
Representatives of Capital One refused to answer questions about whether Ms Thompson had hacked into its systems or simply climbed through a window that had accidentally been left open.
"These things happen because of human nature," said Chris Vickery, a security researcher who specialises in finding unguarded data caches. "These systems are very complex and very granular. People make mistakes."
More than 11 billion records are known to have been exposed in data breaches since 2005, according to a tracker maintained by the Privacy Rights Clearinghouse. In recent years, huge caches of sensitive data have been taken from individuals' Anthem health care files, Equifax credit bureau records, mortgage documents held by the title services company First American, Yahoo email accounts and even federal employment records.
Security was, for decades, treated in most industries as an annoying expense. Banks have always been an exception, with high budgets and fairly sophisticated security operations.
Mastercard, for example, has a windowless bunker at its data centre in Missouri, where a group of security experts work. Citigroup runs three cyberattack response centres — in Budapest, Hungary; New York; and Singapore — that give it round-the-clock coverage. JPMorgan Chase spends nearly US$600 million a year on security, and Bank of America's chief executive has said the bank's security team has a "blank cheque" for its spending.
But attackers keep slipping through.
Cybersecurity "may very well be the biggest threat to the US financial system", Jamie Dimon, JPMorgan's chief executive, said in an April letter to shareholders. His company was the victim of a major data breach in 2014 after hackers exploited an employee password to steal data on 76 million households.
The average cost of a security breach in the United States has escalated in recent years to US$8.2 million, according to a study by IBM Security and the Ponemon Institute.
The cost for companies of Capital One's size can climb much higher, particularly when class-action lawsuits and fines from regulators come into play. The credit bureau Equifax said last week that it would pay about US$650 million — perhaps much more — to resolve most claims stemming from a 2017 breach that affected 147 million people.
Capital One said it expected to spend at least US$100 million this year responding to its breach. Some of that will be offset by the bank's cybersecurity insurance, which can cover as much as US$400 million in losses. A lawsuit seeking class-action status was filed against Capital One on Tuesday.
The breach is particularly embarrassing for Capital One because it was one of the first big financial institutions to move its systems to cloud computing. The company functioned almost like a "proof of concept" for regulators looking to see if the migration to the cloud could be done securely, Mr Kellermann said.
The bank wore its cutting-edge approach as a badge of honour. "Everything new" built by the company's developers was on Amazon's infrastructure, Rob Alexander, Capital One's chief information officer, told the trade publication Information Week in December.
"We are entirely focused on moving to the public cloud," he said.
Cybersecurity experts wondered why the company's security defences did not pick up Ms Thompson's intrusion. Most financial institutions use technology that can detect unusual patterns of behaviour indicating that a user could be trying to rob the bank.
Capital One learned about the attack from an outsider about three months after it happened. On July 17, the company got an email that tipped it off to leaked data posted on the coding platform GitHub, according to court documents.
"Let me know if you want help tracking them down," the person who raised the alarm wrote in the email to the bank.
Others may have followed the same path that prosecutors say Ms Thompson did, Mr Kellermann said. "There is no way that same back door wasn't available to other people during that time."