Americans have a long history of getting mad as hell about something and deciding they won’t tolerate it any more.
Eventually, at any rate. British colonists complained about paying taxes to Great Britain even though they had no representation in the country’s parliament a full decade before the first shot was fired in what would become the American revolution. Prohibition held sway for 13 years before an economic downturn combined with organized crime’s control of the liquor market ended a constitutional ban on the production and sale of spirits in 1933.
It’s a pattern of behavior that isn’t lost on cybersecurity executive Mark Testoni. When it comes to misappropriation of personal data, American voters aren’t frustrated enough yet to force change, he says, even after credit card issuer Capital One disclosed the theft of information gathered from 2005 to 2019 on more than 100 million applicants and customers. And even though that breach followed hacks at credit bureau Equifax, hotelier Marriott, and social media giant Facebook that exposed personal information on hundreds of millions of people.
“It’s a complicated situation,” said Testoni, the CEO of SAP National Security Services, which provides cybersecurity services to national security agencies and large companies.
While Europe imposed strict standards with its General Data Protection Regulation that allows large fines for violations, “we don’t have a GDPR mentality in this country that people are just saying, ‘We’ve got to protect this data,'” he told the Washington Examiner. “Long term, I think we need to address privacy.”
Sens. Amy Klobuchar of Minnesota, and John Kennedy of Louisiana, reintroduced a privacy bill earlier this year targeting social media that among other things, would require that users be informed of data breaches within three days. Lawmakers have expressed open skepticism, however, about a push for a federal law that industry leaders hope would pre-empt stricter regulations from states like California, which passed a data-security law modeled on stringent requirements in Europe.
If the Capital One theft, which differs from some of its high-profile predecessors by virtue of an arrest, isn’t enough to compel Congress to enact a broad privacy law, there are other risks for companies affected. Not least are the possibility of fines and the loss of customer trust.
A report this year by the document destruction firm Shred-it showed 23% of consumers would stop doing business with companies if their own data were stolen from it.
Equifax, meanwhile, agreed this month to pay up to $700 million to settle claims by the Federal Trade Commission and other regulators that its failure to provide sufficient security on data used to evaluate consumer creditworthiness led to a 2017 breach that exposed identifying information like birth dates and Social Security numbers on more than 140 million people.
Then-CEO Richard Smith stepped down before contentious congressional hearings where lawmakers accused the company of failing to protect the contents of a “digital Fort Knox.”
Smith apologized repeatedly during the sessions, just as Capital One CEO Richard Fairbank did in a July 29 statement disclosing the McLean, Va.-based company’s breach.
The company estimated the breach will cost it as much as $150 million this year, and Morgan Stanley analyst Betsy Graseck said it may also raise questions about the the lender’s move from physical data centers to cloud-based storage at Amazon Web Services.
The “revelation reminds investors of the trust that financial institutions place in their client-facing employees and highlights risks of outsourcing any part of client-facing operations,” Graseck said. “Regulators expect that banks hold their third-party vendors to the same standards that regulators hold banks to.”
Capital One learned of the April data breach after former Amazon Web Services employee Paige Thompson, 33, listed file names from so-called buckets of information from the bank on GitHub, a digital platform for software development projects, and discussed plans to archive the data so it wouldn’t be on her servers, according to a criminal complaint filed in U.S. District Court in Seattle.
Another user saw the posts, which were made under Thompson’s name and referenced her Twitter alias, “erratic,” and contacted the lender on July 19, according to the complaint.
“I’ve basically strapped myself with a bomb vest,” read a message sent from Thompson’s Twitter account cited in the complaint, “dropping capitalones dox and admitting it. I wanna distribute those buckets I think first. Their SSNs with full names and DOB.”
Thompson was charged with computer fraud and abuse, and FBI agents seized numerous digital storage devices in a raid on her home, some of which included references to Capital One and possible other network breaches, the agency said.
No credit card account numbers were compromised, Capital One said in a statement afterward, and more than 99% of Social Security numbers were not. The largest category of information taken was on consumers and small businesses as of the time they applied for credit cards, and included names, addresses, phone numbers, and self-reported income.
So far, the data doesn’t appear to have been shared or used for fraud, the bank said.
The case is yet another reason why some 80% of CEOs surveyed by the Business Roundtable, which represents the 200 biggest U.S. businesses with a combined payroll of 15 million people, say a federal statute is important.
Privacy advocates worried by massive breaches want action too, though they worry that Congress might ultimately weaken protections in states like California, whose new law will allow residents to review the data that companies hold on them and block firms from selling that information.
What the Capital One attack illustrates is that moving data from on-site storage to the cloud doesn’t “magically make it safe,” Peter Martini, co-founder of cloud cybersecurity firm iboss, told the Washington Examiner.
“What you have to understand and have research for is, ‘How do we secure data in the cloud, and what are the variables out there?'” he said. His firm uses security software that evaluates normal conditions in a data server and looks for deviations, rather than just screening for malware, a technique that accounts for random intrusions not just from hackers but for employees and vendors who may take advantage of approved access for underhanded purposes.
“Think about humans: We’re probably the most polymorphic piece of malware in the world,” he said. “You could be walking down the street, see some files and think, ‘Why don’t I download these real quick, even though I wasn’t planning on doing this today?'”
The Capital One theft keeps such possibilities on the public’s radar, and will likely further increase momentum for tighter security and a federal privacy standard, he said.
“Consumers are getting more savvy,” Martini said. “There’s more of a demand for data privacy.”
Companies migrating to the cloud, meanwhile, are forced to consider how best to duplicate the protective firewalls they had with data stored on their own property, he said. “It’s complex, somewhat uncharted territory.”
