This publication asks whether the latest cyber-security breach, involving 100 million people, raises questions about whether cloud computing is more vulnerable than previously thought.
The merits of cloud computing have been widely touted and there is seldom a day that goes by without reading about this or that wealth management firm, bank or other financial organization moving to the cloud. The practice of using a network of remote servers hosted on the Internet to store, manage, and process data, instead of a personal computer or local server, is now pretty much a standard feature of our tech age.
That trend is not likely to slow down any time soon, but the eye-popping story that Capital One, the fifth-largest US credit-card issuer, was hit recently by a hacker who accessed personal information of about 100 million card customers and applicants is shocking, even by the standards of big attacks on Equifax and JP Morgan, to give just two cases. (In the JP Morgan incident, 76 million accounts were affected.) In the Capital One case, about one million Social Security numbers have been compromised.
The firm said that the FBI has arrested the person responsible and that person is in custody. “Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate,” Capital One said in a statement yesterday. The Wall Street Journal identified the arrested person as Paige A Thompson, 33. She was arrested in Seattle, the WSJ reported.
As the publication notes, Capital One has embraced the “cloud” for storing data. Thompson is a former employee of Amazon Web Services Inc, the WSJ reported, citing unnamed sources. The criminal complaint says Thompson’s résumé showed that she worked at a cloud-computing company, which the government did not name, as a systems engineer from 2015 to 2016.
When asked about cyber-security breaches, advocates of cloud computing have told this publication that security in this model is often as good as, if not superior to, in-house systems that companies have used in the past. But the sheer scale of the Capital One saga is bound to cause concern that cloud computing may have inbuilt vulnerabilities.
Computer security company Skybox Security, which recently updated the market about industry issues in its 2019 Vulnerability and Threat Trends Report, has argued that some of the containers used in cloud computing have gotten more vulnerable. A cloud container is a standard unit of software that packages up code and all its dependencies so that the application runs quickly and reliably from one computing environment to another. However, because they are so easy to use, errors can creep in when they are installed – creating openings for hackers. Skybox Security said vulnerabilities in container software rose by 46 per cent in the first half of 2019 compared with the same period in 2018, and by 240 per cent compared with the figures two years ago (source: Skybox).
This particular Capital One breach happened late in March and an “ethical hacker” – a person who hacks networks to test security – emailed the firm about what had happened. Law enforcement was alerted on July 19.
Separately, the wealth management industry has to be mindful of data breaches more broadly, whether the cloud is a factor or not. For example, earlier this year Redtail Technology, a web-based client relationship management firm serving financial advisors, suffered a breach. According to Barrons, and others, a technical error captured client data including names, addresses and Social Security numbers. There have also been concerns that the breach, identified on March 4, was not disclosed for more than two months, reports said.
Specific cases aside, the latest incident at Capital One, given the vast numbers of accounts affected, should prompt rapid responses and soul-searching. The saga is unlikely to markedly slow businesses embracing the cloud, but skeptics who prefer to keep tech arrangements in-house may have more ammunition for doing so, unless or until certain vulnerabilities are ironed out.
Cloud-based computing is often sold to users on the pitch that it is more robust and cost-efficient. Organizations such as single family offices that lack some of the in-house resources to manage forms of technology, are embracing cloud-based solutions. It is therefore critical that security concerns are put to rest, and fast.