On Monday, July 29, Capital One Finance announced in Virginia it had been the subject of a data heist that stole personal information from over 100 million customers in the U.S. and 6 million in Canada.
Cyber attacks are always bad news for the industry, but this one was more ominous, because it raised issues about the safety of keeping sensitive information in the cloud (FT).
Capital One is considered to be among the most digitally progressive banks in the U.S., and it had been an early advocate of moving computing needs to the cloud. AWS was its primary vendor. And a former AWS employee, Paige Thompson, has been arrested in Seattle and charged with the hack.
As far as we know, the breach was not due to any problem with AWS’s infrastructure. Thompson allegedly hijacked Capital One’s internal web-based application to access its information stored in the cloud (Washington Post). The FBI called this a “firewall misconfiguration”.
It has taken banks longer than other industries to embrace cloud computing, because of their heavy compliance requirements and the sensitive nature of their data. A few large global players such as HSBC have recently embraced cloud computing (DigFin). DTCC, which processes 100 million transactions per day, is fully on cloud (as this video explains). Others still hang back, preferring to use their own servers, or just use vendors such as AWS, Microsoft Azure and Google Cloud for generic data.
The Capital One fiasco won’t help the case of cloud vendors. But the correct response is not to decide cloud is too risky, and therefore untenable.
Cloud computing is absolutely necessary to digital finance. Some very large global banks will have the means to keep sensitive data on the premises. Even they, however, will struggle to deal with the lack of scalability when they rely on private servers.
On-prem or public, the hardware is the same. The top vendors put enormous resources into security. This is not to be entirely taken for granted; NSO Group, an Israeli company, has allegedly developed tools to breach cloud security, which it denies (FT). But in the worst case, and such tools found their way into the hands of bad actors, then surely banks relying on their private clouds would be just as vulnerable, if not more so.
There are plenty of examples of banks’ proprietary systems getting hacked: Last week also saw Equifax announce its $700 million settlement over its notorious loss of customer information (and then also reveal it can’t actually pay all of its wronged customers (MarketWatch)).
…but with cloud-first problems
But that does not mean financial institutions will shrug off the Capital One hack. It reveals some longstanding weaknesses.
One is the lack of sufficiently qualified cybersecurity people. That’s across the board, worldwide, in every industry. Gartner says only 65% of organizations have a cybersecurity expert in-house. The Capital One hack makes clear, though, that banks should make the move to vendor cloud only when they are confident they have the internal expertise.
Second, and more readily addressable, are cloud clients’ own internal processes, specifically around authorizing who can access the bank’s data on the cloud (TechCrunch). In Capital One’s case, it does not appear that it was subject to an inside job. The hack allegedly came from an ex-AWS person with mental health issues. But cybersecurity heads at banks know very well that they must defend against internal as well as external threats. The Capital One case suggests managing these layers of security will only become more complex as more data moves to cloud.
The fact that a formerly employee of AWS is accused of the hack will no doubt have triggered a shouting match between their lawyers and Capital One’s lawyers. Banks using public cloud need to make sure they know in minute detail what they’re signing up for.
The promise of cloud computing hasn’t gone away but some of those promises may not be as strong as others.
What hasn’t changed: the flexibility and scalability of leveraging public cloud. That is still absolutely necessary. There’s no going back.
And: major cloud vendors have not experienced a hack themselves. They still have more resources than anybody to safeguard data.
What has probably changed: the true cost of outsourcing. Moving data to a vendor can cut costs by reducing reliance upon data centers and the staff to manage them. It also alleviates the need to have teams specializing in server infrastructure. These have been a big selling point by vendors. But banks also need to add on top some extra costs, particularly around firewalls and accessing cloud data.
And it might not be wise to abandon expertise in the nitty-gritty of cloud vendor processes, if for no other reason than to support the legal team when you sign off on vendor contracts.
For banks struggling to bring down costs, the Capital One hack raises shortcomings in its internal security – and in many banks’ budgetary expectations.