106 Million Endure Data Breach: A Costly Lesson

On July 29, Capital One Financial announced that 106 million of its customers and applicants had their data breached while their data was in Capital One’s possession.

What went wrong?
Capital One Financial Corporation (NYSE: COF) announced that on July 19, 2019, there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products, as well as to Capital One credit card customers.

Basic Cybersecurity Truisms

  1. Bigger is not better. One fallacy related to cyber and data security is that if a large company is in possession of data, the data must be safe, since the assumption is the company has invested in the best of cyber theft prevention available. The truth is sobering. Big companies have the same vulnerabilities as small and mid-size companies: all are only as strong as their weakest link and weakest vendor.
  2. You are at the mercy of your vendor. In this case, an employee of one of Capital One vendors is accused of breaking through a Capital One firewall to access the customer data that the bank had stored on Amazon.com Inc.’s cloud service. The bulk of the stolen data includes data submitted by both customers and small businesses that applied for Capital One credit cards between 2005 and early 2019.
  3. Arresting a suspect after the data has been stolen doesn’t help retrieve it. The arrest of a suspect is of little consolation to those with missing data. The data is gone. The irony is that the customers whose data was stolen will pay the taxes providing room and board to the convicted and imprisoned data thief.

Lessons Learned:
Here are the takeaways from the Capital One Financial breach as we see them.

  • The size of the business harboring the data is irrelevant. All businesses are vulnerable.
  • Small and mid-sized businesses (SMBs) are particularly vulnerable since they are often both customer and vendor.
  • SMB’s are now viewed as potential weak cyber links and are under scrutiny by their larger customers.
  • Even the most expensive and intricate firewalls can be vaulted.
  • No senior level executive wants to make a public statement about a breach of data they held.
  • Executives at SMBs are called upon to take control of cybersecurity IF they care about their companies.

How can HBK help?
HBK offers three introductory levels of cybersecurity assessments designed specifically for SMB budgets and risks. We also offer SOC1 and SOC2 and SOC for cybersecurity reports in the event proof of your cyber preparation and state of being is requested.

Call Steve Franckhauser at 614.228.4000 extension 2415 to discuss cybersecurity options.

Please indicate the industry that your company operates in: *

About the Author(s)

Steven Franckhauser is a Senior Director working out of the Columbus, Ohio and Pittsburgh, Pennsylvania offices of HBK. He joined HBK in 2011 and works with both the Risk Advisory/Cybersecurity and Energy divisions of the firm.

He is an adjunct Professor of Law at the Duquesne University School of Law, where he teaches business planning and cyber security courses. Steve contributes to the Penn State Extension programs on Shale development, is an adjunct Professor at Penn State University's Beaver campus in Monaca, Penn., and has been a guest lecturer on shale energy and renewable energy at The Ohio State University Fisher School of Business and the School of Arts and Sciences. He is also a past recipient of the “Who’s Who in Energy” by the Pittsburgh Business Times.

He serves on various industry-related boards and is a frequent lecturer and speaker on the economic development and opportunities provided by shale energy, as well as on topics related to the importance and development of Cybersecurity best practices, regulations and standards as they relate to businesses and individuals.

Matthew J. Schiavone is a Senior Manager in HBK’s Quality Control department and works primarily in the Pittsburgh, Pennsylvania office. He specializes in risk advisory services, system and organization control (SOC) reporting, internal controls, IT audit, information security, and cyber security for all types of industries.

Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.