Good evening and welcome back to another post from ToBeSecured. This is my second week at my very first full time job and I am excited to embark on a new journey in such a nurturing environment. I am apart of a great team, meaning the information I am learning will be leveraged to expand my mind and blog.
On today’s topic, we will be discussing the data breach that happened with Capital One on yesterday. Do you find it ironic or even comedic that a bank corporation would not spend the necessary funds to strengthen their maintenance and configuration?
Capital One is one of the United States largest banks and on Tuesday they announced that over 100 million customers’ personal data was exposed in a data breach. This is one of the largest to ever occur. If regulations aren’t driving companies to invest in cyber defense then what will? Companies will insinuate that the government needs to intrude and create incentives for them when they meet the requirements of protecting customers’ data. The logical thing to do if you are a customer is to say goodbye to that particular company and go a route where your data will be valued and protected. I said logical, but we all know the norm. Investors will rebel and hold companies accountable for the damage to their brand. In addition, the direct cost of responding to a data breach will send companies directly to rock bottom. But the steady occurrences of major breaches in the last few years has exposed the truth: Data breaches have little to no long-term impact on companies' business. Why invest in defense when data breaches do not hit your bottom line?
The hacker ultimately procured information — including credit scores, balances, and Social Security numbers — of about 140,000 customers, according to Capital One. It will offer free credit monitoring services to those affected. Of primary concern is the seemingly growing frequency of such breaches, and what ends up happening to the private information of hundreds of millions of people.
Here’s some statements Britt Sidentopf, a global cybersecurity expert with Global Asset Online, had to say: “If you look at the breaches of the last three years, the Capital One was not the largest. Equifax was 148 million (in 2017), Marriott was 339 million in 2018. Yahoo in 2016 was 500 million,” he said. “You add those up. That’s over a billion people’s accounts or information that has been breached in the last three years. That’s a staggering number.”
“In my world, there are typically three motivating factors behind this behavior. First is usually notoriety. Second normally is vengeance, maybe you have a disgruntled employee. Third is monetary. If you look at the psychological profile of this individual it’s somewhat self-destructive behavior,” he said. “If they’re smart enough to do this they’re smart enough to realize that when they take this breach and post on social media, they’re gonna get caught. So it almost comes down to that they’re overtaken by this need to be accepted among their peers, that they were able to accomplish this objective.”
The overall disturbing part of this data breach is although the hacker is sitting in jail, there is no guarantee millions of users’ data is being sent over to someone else to finish the intentional motives. This information could’ve been sold, deleted, placed on the dark web, or nothing could happen, and in all honesty there is nothing that could be done due to the fact most hacking incidents do not result in jail time as this one definitely came as a surprise. Cybercrime is largely consequence-free. Exact statistics on the prevalence of cybercrime and number of prosecutions are hard to come by, but experts agree that far less than 1% of cybercrimes ever result in an arrest. One study estimated the arrest rate for cybercrimes could be as low as 0.05%. Prosecutions are even more rare.
We need a national data breach disclosure law that inflicts consistent requirements on companies to disclose breaches to customers and to regulators. And we need to impose large enough monetary penalties that it is cheaper for companies to invest in security than to pay for the costs of a breach.
In conclusion, as a consumer, we must take our personally identifiable information and take measures into our own hands and ensure the privacy and secureness of our data is protected. As I’ve been consistently reiterating, the only way we’re going to drive change is if we hold these companies accountable for holding our information, maintaining it, and ensuring it is secured.
If you would like to discuss further, please leave a comment or ask a question. I'd love to chat with my readers and hear your thoughts. Thank you for dropping in and remember ToBeSecured!
I honestly believe a crime is a crime and if you commit a crime, you should be served time for it. It's not a surprise, as I mentioned in my blog, that a person would not serve time for hacking into a system, but this time they did. If I were a law maker, I would take one's privacy into consideration and create laws based upon what a person should and should not collect e.g. social security numbers, banking information, login information, and anything else that is considered personally identifiable information. But, we all know there is a long, tedious process of creating and passing laws. I believe the remedy to this problem as a company is to reflect on…
I like how you called out Capital One on not spending the required funding to strengthen their maintenance and configuration. So you believe a remedy to this problem will be to protect their privacy by diverging away from the company economically? Also, I honestly don’t believe their is enough jail time for profiting off of someone else’s government official information. If you were a law maker, how would you go about implementing policy regulation(s) paired with consequences into this society of ours?