Insider threats at the heart of recent attacks
This past July, Capital One was hit with one of the largest data breaches of any financial institution. The breach itself happened over the course of five months, and revealed roughly 100 million credit card applications that revealed customer information such as social security numbers, bank account numbers, names, addresses, phone numbers, and self-reported income for bank customers from 2005 to early 2019.
The breach is notable for a few reasons other than the volume and contents of the exposed records. First, the attack was allegedly conducted by a single hacker instead of a collective or state-sponsored group as is suspected for other recent breaches (like Equifax and Marriott). The accused engineer behind the hack is 33-year-old Paige Thompson, a Seattle resident that also goes by the online alias, “erratic”. Another notable difference is that Thompson is a former employee of Amazon Web Services (AWS), the cloud service used by Capital One where the breached data was being stored.
Initial fears suggested that Thompson may have gained access to the targeted data through insider credentials or privileged knowledge of AWS systems. While Capital One and AWS have pointed to the cause of the breach as a misconfigured firewall, the incident identifies a vulnerability in the current cloud vendor model: vendor employees can be motivated by malicious intent. In practice, controls at these vendors are in place to prevent the average cloud service employee or non-essential engineer from accessing client data. Yet, how can data owners ensure these controls are effective?
Just days after the Capital One breach another, less publicized incident of insider malfeasance was disclosed at AT&T. In the scheme, multiple customer service employees were alleged to have accepted over a million dollars in bribes to install malware and spying devices on AT&T’s Seattle based networks that allowed Muhammad Fahd, a citizen of Pakistan, to unlock phones from the AT&T network. This insider activity has cost AT&T millions of dollars in lost revenue and posed even greater threats to their network security.
Despite its size and resources, the controls and oversight at AT&T were insufficient to prevent this internal misconduct that took place over six years. At almost twice the size of AT&T, Amazon undoubtedly has considerable resources dedicated to internal controls. However, it also holds a concentration of data from thousands of corporate clients worth considerably more than the value of unlocked phones. And despite all those security resources, any client that relies entirely on a cloud vendor’s security (such as encryption key management, and Identity Access Management) has enabled a person or persons at that vendor governance over their data. I’m confused at the intro of Amazon?
As discussed in our previous post, diversification of vendors to manage security and host data separately helps to prevent these breaches by not allowing access to a single person or vendor. In-house controls over encryption key management or IAM are also important considerations when engaging with cloud vendors so these elements can be retained from any external vendor that also hosts the data. At Myriad, we’ve integrated independent client-side encryption into our cloud portal for this very reason. More importantly, Myriad stripes file data across multiple independent cloud vendors so a breach at one storage vendor (whether hacked through a misconfigured firewall or by a malicious vendor employee) doesn’t reveal any full volume of cipher text.
Capital One reported this hack is likely costing the company $100 million to $150 million in the near term, yet their market capitalization has already shed over $6.5 billion since news of the hack was released. With such high cost to failure, the depth of data security and retention of controls mean protecting confidential business and client data from malicious actors on the outside, or the inside.