Capital One Breach Casts Shadow Over Cloud Security

(Wall Street Journal) Robert McMillan July 30 2019 6:57 pm One of the highest-profile hacks of consumer-banking data has sent financial institutions scrambling to figure out how millions of records at one of the biggest proponents of cloud-computing were exposed. Capital One Financial Corp. the fifth-largest U.S. credit-card issuer said Monday that information of roughly 106 million card customers and applicants was exposed in one of the largest data breaches of a big bank. The data was stored on Amazon.com Inc.s cloud according to a federal criminal complaint and people familiar with the matter. The avenue of entry the companies and investigators said was a poorly configured firewalla mechanism designed to wall off privately operated digital systemsthat a hacker breached. Both companies say controls around the data rather than use of the cloud were the problem. Still the data was stored in the cloud raising questions about whether Capital One put insufficient safeguards in place to lock down customer records when it adopted cloud technology. And the accused hackers tenure as a former employee of Amazons cloud business highlights the riskpreviously little appreciatedof an insider threat. Cloud computing has boomed as companies have increasingly turned to providers such as Amazon and Microsoft Corp. to do the work of configuring computers inside their own data centers. The processing power of those servers and storage devices is then rented out to cloud customers who pay depending on how much work the computers do. Capital One was an early adopter of cloud-computing among financial institutions as many other banks hesitated to move customer data out of their data centers. But the global cloud business has expandedincluding among banksas companies such as JPMorgan Chase & Co. and Bank of America Corp. became converts. That has heightened the stakes from the Capital One breach for the broader financial-services and cloud-computing industries. By 2023 banks globally are forecast to spend more than $53 billion on public cloud infrastructure and data services up from $24.3 billion this year according to market research firm International Data Corp. The disclosure of the breach has caused a behind-the-scenes scramble at several financial institutions to understand what happened at Capital One according to a person familiar with the discussions. Everyone who is migrating to the cloud is really going to look at their controls" said Sameer Malhotra the chief executive of TrueFort Inc. a company that provides cloud security services. However he added I dont think its going to change their intention to move to the cloud."