106 Million Endure Data Breach: A Costly Lesson

Date August 23, 2019
Authors Steven Franckhauser, JD and Matthew J. Schiavone, CPA, CISSP, CISA

On July 29, Capital One Financial announced that 106 million of its customers and applicants had their data breached while their data was in Capital One’s possession.

What went wrong?
Capital One Financial Corporation (NYSE: COF) announced that on July 19, 2019, there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products, as well as to Capital One credit card customers.

Basic Cybersecurity Truisms

  1. Bigger is not better. One fallacy related to cyber and data security is that if a large company is in possession of data, the data must be safe, since the assumption is the company has invested in the best of cyber theft prevention available. The truth is sobering. Big companies have the same vulnerabilities as small and mid-size companies: all are only as strong as their weakest link and weakest vendor.
  2. You are at the mercy of your vendor. In this case, an employee of one of Capital One vendors is accused of breaking through a Capital One firewall to access the customer data that the bank had stored on Amazon.com Inc.’s cloud service. The bulk of the stolen data includes data submitted by both customers and small businesses that applied for Capital One credit cards between 2005 and early 2019.
  3. Arresting a suspect after the data has been stolen doesn’t help retrieve it. The arrest of a suspect is of little consolation to those with missing data. The data is gone. The irony is that the customers whose data was stolen will pay the taxes providing room and board to the convicted and imprisoned data thief.

Lessons Learned:
Here are the takeaways from the Capital One Financial breach as we see them.

  • The size of the business harboring the data is irrelevant. All businesses are vulnerable.
  • Small and mid-sized businesses (SMBs) are particularly vulnerable since they are often both customer and vendor.
  • SMB’s are now viewed as potential weak cyber links and are under scrutiny by their larger customers.
  • Even the most expensive and intricate firewalls can be vaulted.
  • No senior level executive wants to make a public statement about a breach of data they held.
  • Executives at SMBs are called upon to take control of cybersecurity IF they care about their companies.

How can HBK help?
HBK offers three introductory levels of cybersecurity assessments designed specifically for SMB budgets and risks. We also offer SOC1 and SOC2 and SOC for cybersecurity reports in the event proof of your cyber preparation and state of being is requested.

Call Steve Franckhauser at 614.228.4000 extension 2415 to discuss cybersecurity options.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

hbkcpa.com needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Cyber Security: It’s Everyone’s Job

Date August 13, 2019
Authors Steven Franckhauser, JD and Matthew J. Schiavone, CPA, CISSP, CISA

HBK is in the cyber security business. Our Risk Advisory Services group exists to serve our clients and help ensure they remain healthy, active and viable. That is our business, ethical and moral purpose. We also realize that we alone cannot entirely handle your cyber security needs, because so much of cyber security is a function of business culture and self-awareness.

Here are five reasons cyber security starts and ends in the business setting:

1. Laws put the burden on your business to protect cyber data. If you peruse the California Consumer Privacy Act, the New York Department of Financial Services Cyber Security Regulations, the Ohio Cyber Security Safe Harbor Law, the Florida Information Protection Act, and the mother of all data regulations, the General Data Protection Regulation of the European Union, you will find two common denominators: none of them make it illegal to steal data and all of them make it incumbent on the business to protect data.

Each regulation sets forth actions businesses must take to protect data. This type of law used to be reserved for national security matters—power plants, national emergencies, disaster recovery—but state governments in the U.S. and foreign sovereigns are delivering a clear message that these laws apply generally. You are responsible for protecting data, and if you do not you will be punished.

2. The burden to protect cyber data is being pushed by big businesses to small and medium businesses (SMBs) under contractual mandates. Large multinational businesses are being attacked through their vendors. Target took a data breach hit because of an HVAC vendor. Capital One just announced a data breach allegedly caused by an employee of one of its vendors.

Large businesses are now insisting that their vendors adopt safe cyber hygiene practices or risk losing the business. The role of “vendor risk manager” has risen to the top of the charts as supply chain logistics expand and state laws mandate cyber security measures. SMBs risk losing their best customers if they do not tow the line on cyber security.

3. Blind Faith in outsourced IT and cyber security measures does not work. Pay close attention. Pushing problems to a third party does not solve problems, it merely hides them. Many SMB’s outsource IT and presume that their vendor has cyber security covered. This is flawed for two major reasons. First, IT vendors are only one part of the cyber security solution. Second, IT companies are particularly susceptible to data attacks because they are an entry point into your systems. SMBs must be assured that the people they pay are addressing cybersecurity. As one CFO recently told me, he is afraid of what he doesn’t know. That type of self-realization is healthy. Have your vendors demonstrate their cyber security.

4. Cyber Insurance underwriting guidelines will not accept cyber security indifference from management. Financing a cyber data breach or a ransomware heist is a big financial deal. CEOs, COOs, CFOs and BODs are tasked with managing the business vessel. Running afoul of cyber insurance guidelines can deprive a business of the requisite financial resources provided by insurance during a cyber data calamity. Good business management practices as well as operating agreements, by-laws and partnership agreements entrust these levels of decision to management. If C-level management and boards do not fulfill their obligations, they place the financial status of the business in peril. Study the cyber security laws and regulations listed in item 1 of this article. They are aimed directly at management.

5. Fiduciary Duty of Company Officers. Talk to your business lawyers about the respective duties owed to companies by their officers. Most state laws place this high level of responsibility upon the company officers. Fiduciary duties are non-delegable.

We do not have the luxury of cyber police patrolling the data streets of homes and businesses. Security always begins with the individual. Never confuse law enforcement with security. It is incumbent upon each person to do their part in cyber and data security because each person is a link in the cyber data chain. HBK understands this reality and bases its cyber security services on understanding the human, technical and management elements as being inextricably intertwined. In the end, you are only as secure as your weakest link.

For more information or to review your cyber security responsibilities and readiness, contact Steve Franckhauser at 614.228.4000 or sfranckhauser@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

hbkcpa.com needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.