Capital One Breach Said To Also Affect Other Major Companies (techcrunch.com) 41
The data breach at Capital One may be the "tip of the iceberg" and may affect other major companies, according to security researchers. From a report: Israeli security firm CyberInt said Vodafone, Ford, Michigan State University and the Ohio Department of Transportation may have also fallen victim to the same data breach that saw over 106 million credit applications and files stolen from a cloud server run by Capital One by an alleged hacker, Paige Thompson, a Seattle resident, who was taken into FBI custody earlier this week. Reports from Forbes and security reporter Brian Krebs indicating that Capital One may not have been the only company affected, pointing to "one of the world's biggest telecom providers, an Ohio government body, and a major U.S. university," according to Slack messages sent by the alleged hacker.
Krebs posted a screenshot of a list of files purportedly stolen by the alleged hacker. The stolen data contained filenames including car maker "Ford" and Italian financial services company "Unicredit." The Justice Department said Thompson may face additional charges -- suggesting other companies may have been involved. Further reading: Capital One's Breach Was Inevitable, Because We Did Nothing After Equifax.
Krebs posted a screenshot of a list of files purportedly stolen by the alleged hacker. The stolen data contained filenames including car maker "Ford" and Italian financial services company "Unicredit." The Justice Department said Thompson may face additional charges -- suggesting other companies may have been involved. Further reading: Capital One's Breach Was Inevitable, Because We Did Nothing After Equifax.
Where is Amazons liability in this? (Score:1)
Their employee, their liability...
"The Cloud" (Score:1)
It's almost like cloud-service providers are an ironic single-point-of-failure.
Re: (Score:1)
(Sent from unsecured AWS bucket acting as unsecured email relay)
Re: (Score:1)
I think you've got me confused with someone else.
I'm not going to go into specifics as to my contacts with her, but will point you to this Krebs piece (https://krebsonsecurity.com/2019/07/capital-one-data-theft-impacts-106m-people/) where he notes
Or this piece which notes some of her online postings which do not paint the picture of a stable person: https://torontosun.com/ne
Capital One is big on security. Just not perfect (Score:2)
Capital One hires a lot of security folks, is very active with OWASP, etc. I've spoken with several members of their security team several times. The company is not sloppy about security.
They are not perfect. Somebody screwed up this time.
There is one part I'm not sure of re Cap One security.
What they *could* do, perhaps, is ensure that security teams align with the CFO and auditors, whose job it is to control risk, and not so much with IT and dev teams. They need to work *with* devs and IT, but should
come on (Score:2)
After all, any data placed in the cloud may as well just all be printed on your front door. There is no expectation of privacy or security.
Just my 2 cents
Filesnames? wtf??? (Score:2)
The stolen data contained filenames including car maker "Ford"
OK, I'll bite; what confidential information was some genius keeping in ford.docx ?
Re: (Score:2)
The original script from The Postman
Companies have been using the trick a lot lately (Score:2)
Right off the bat the math didn't add up. The first stories said it only applied to Capital One card applicants in the last 6 years. 100 million people did not apply for a Capital One Card in the last 6 years. That's not far off from the entire adult population of American...
Cloud Computing. IMHO (Score:5, Insightful)
The fastest and easiest way to conduct industrial espionage on thousands of companies, within a monolithic security infrastructure. Imagine if those companies would have all sorts of private data centers, staff themselves with different OS's, network designs.
That would be way too hard to crack both from a hardware/software end, and a human social engineering end.
Just my two cents worth, anyone think I am wrong because IMHO this whole cloud service industry shouldn't be storing anything of value.
The best application I can think of right now for anything cloud is Cat Videos.
Excuse me now, I am going to have to call Capital One, my attorney and check my credit to see if I suffered any damages....
YET.
Re: (Score:3)
The fastest and easiest way to conduct industrial espionage on thousands of companies, within a monolithic security infrastructure. Imagine if those companies would have all sorts of private data centers, staff themselves with different OS's, network designs.
That would be way too hard to crack both from a hardware/software end, and a human social engineering end.
There are two sides to this.
On the one hand, diversity does create some obstacles -- though given the nature of the vulnerability that was exploited in this case, it wouldn't have helped, because the problem was unpatched application server software.
On the other hand, the cloud data centers are almost certainly much better-secured than the private data centers would be. I've been in many private data centers, including those of banks and government organizations, and I have visited a couple of Google's