Experts: Capital One data breach latest example of constant cybersecurity threats
The latest reported consumer data breach — in which a hacker exposed personal information of more than 100 million Capital One customers and applicants — came as no surprise to cybersecurity experts in Western Pennsylvania.
The odds of a data breach happening at major companies is almost 100%, said Paul Grieggs, IT security manager at Indiana University of Pennsylvania.
“Most major companies experience security incidents that may result in compromised data,” he said.
The list of corporate victims includes Yahoo, Marriott, Equifax, eBay, Target and Facebook. Even the Postal Service and the IRS have experienced major data breaches. Five years ago, hackers accessed sensitive data of more than 60,000 UPMC workers.
The increase in security breaches is an indicator of how far technology and security companies have to go, said Bryan Parno, a Carnegie Mellon University computer science and engineering professor and member of the school’s Security and Privacy Institute, or CyLab. He attributed the increased number of breaches to information becoming digitized and a more sophisticated criminal economy.
To help fight breaches, places like CyLab are exploring ways to build more secure software and networks that can detect when somebody infiltrates a network.
Limited laws surrounding data breaches can also impact how well companies protect against threats, Parno said. In Pennsylvania, companies that store or manage computerized data, including personal information, are required to give a public notice in event of a breach in the security system.
But across the country, breaches impacting 10,000 or fewer people are not likely to be reported, Parno added.
“It’s quite possible those are happening or are happening at a smaller scale,” Parno said.
For now, at least, Grieggs said the key to limiting the compromise of data is quickly finding and responding to breaches.
Major breaches like at Capital One — which the company publicly announced Monday, the same day federal authorities charged a Seattle woman with computer fraud and abuse in the case — was made worse by a failure to detect or respond to the breach in time, Grieggs said.
“It will likely be several weeks until we know the facts surrounding the Capital One breach,” Grieggs said. “It sounds bad, but it will take some time to understand the full impact. I think the Equifax breach of 2017 was one of the worst in terms of the scale of sensitive data that was compromised.”
The Equifax data breach — considered one of the largest in U.S. history — is believed to have affected nearly 150 million people. People whose Social Security numbers and other private information were exposed by the Equifax credit reporting agency can apply online for a share of the $425 million available through a $700 million settlement reached between the government and the company.
Cyber criminals have stolen an estimated $11.3 billion in the past 12 months, according to a 2018 cyber safety report from Symantec Corp.
The Pew Research Center in 2017 reported results of a survey which found that 64% of U.S. adults had been impacted by some sort of data theft — from fraudulent credit card charges and compromised Social Security numbers to hacked email and social media accounts.
“Criminals are always seeking creative ways to get inside networks and steal data,” said Catherine Policicchio, a spokeswoman for the Pittsburgh FBI office. “We work with government and private sector partners to prevent as many attacks as possible. But we live in a world where bad things sometimes happen. When they do, we will relentlessly pursue justice for those who are harmed.”
Officials from several companies and government agencies provided tips for businesses to try to avoid data breaches including having a plan and procedures in place in case of an attack, constructing timelines for the completion of critical tasks and identifying key decision makers in the company, according to the U.S. Department of Justice’s Cybersecurity Unit.
“Many companies do use recommendations to keep their data safe,” Grieggs said. “There is always a trade-off between available resources for IT security and business needs. Unfortunately, an attacker only needs to be ‘right’ one time to result in a breach. Companies must be right every time to prevent a breach.
“The internet does not have neighborhood or even national boundaries. With this understanding, companies can develop a security program that is appropriate for their situation.”
Megan Tomasic is a Tribune-Review staff writer. You can contact Megan at 724-850-1203, [email protected] or via Twitter .