Capital One identified and traced the breach in a span of four months, and accepted responsibility for a misconfigured firewall that allowed the hack to take place. I-U cybersecurity program chair Scott Shackelford says that’s a stark contrast to the just-settled Equifax breach two years ago. which he calls “a case study in what not to do.” He says the credit-reporting agency spent weeks downplaying the significance of the breach, then caught more flak by offering free credit monitoring only if customers agreed to take any legal claims to arbitration instead of the courts.
But Shackelford says the lone hacker charged in the Capital One case isn’t typical either. Shackelford says all companies need to realize their adversaries are more likely to be a foreign government, with unlimited resources and unlimited time, and plan their defenses accordingly.
Shackelford says banks generally have stronger defenses than other industries, in part because they’ve teamed up for a joint cybersecurity center. Because they’re on the hook for any fraudulent charges, Shackelford says banks have invested heavily in encryption, web traffic analysis, and cyber risk insurance.
Shackelford says companies also need to be careful about who has legitimate access to their networks. He says the Target data breach in 2013 was traced to a heating and cooling contractor — he says hackers used that company’s weaker security as an entry point.
For individuals, Shackelford notes it’s simple to place a fraud alert and a credit freeze on your accounts, so you hear about it if someone tries to open a new credit card in your name. He recommends using multi-factor authentication instead of just a password when possible. And he says ransomware attacks on two Indiana counties are a reminder to back up important files.