Experts: Capital One data breach latest example of constant cybersecurity threats | TribLIVE.com
Westmoreland

Experts: Capital One data breach latest example of constant cybersecurity threats

Megan Tomasic
1476431_web1_1419564-478fdd18be004a9398a44cbe753d2ea0
Tribune-Review
Today, the odds of a data breach happening at major companies is almost 100%

The latest reported consumer data breach — in which a hacker exposed personal information of more than 100 million Capital One customers and applicants — came as no surprise to cybersecurity experts in Western Pennsylvania.

The odds of a data breach happening at major companies is almost 100%, said Paul Grieggs, IT security manager at Indiana University of Pennsylvania.

“Most major companies experience security incidents that may result in compromised data,” he said.

The list of corporate victims includes Yahoo, Marriott, Equifax, eBay, Target and Facebook. Even the Postal Service and the IRS have experienced major data breaches. Five years ago, hackers accessed sensitive data of more than 60,000 UPMC workers.

The increase in security breaches is an indicator of how far technology and security companies have to go, said Bryan Parno, a Carnegie Mellon University computer science and engineering professor and member of the school’s Security and Privacy Institute, or CyLab. He attributed the increased number of breaches to information becoming digitized and a more sophisticated criminal economy.

To help fight breaches, places like CyLab are exploring ways to build more secure software and networks that can detect when somebody infiltrates a network.

Limited laws surrounding data breaches can also impact how well companies protect against threats, Parno said. In Pennsylvania, companies that store or manage computerized data, including personal information, are required to give a public notice in event of a breach in the security system.

But across the country, breaches impacting 10,000 or fewer people are not likely to be reported, Parno added.

“It’s quite possible those are happening or are happening at a smaller scale,” Parno said.

For now, at least, Grieggs said the key to limiting the compromise of data is quickly finding and responding to breaches.

Major breaches like at Capital One — which the company publicly announced Monday, the same day federal authorities charged a Seattle woman with computer fraud and abuse in the case — was made worse by a failure to detect or respond to the breach in time, Grieggs said.

“It will likely be several weeks until we know the facts surrounding the Capital One breach,” Grieggs said. “It sounds bad, but it will take some time to understand the full impact. I think the Equifax breach of 2017 was one of the worst in terms of the scale of sensitive data that was compromised.”

The Equifax data breach — considered one of the largest in U.S. history — is believed to have affected nearly 150 million people. People whose Social Security numbers and other private information were exposed by the Equifax credit reporting agency can apply online for a share of the $425 million available through a $700 million settlement reached between the government and the company.

Cyber criminals have stolen an estimated $11.3 billion in the past 12 months, according to a 2018 cyber safety report from Symantec Corp.

The Pew Research Center in 2017 reported results of a survey which found that 64% of U.S. adults had been impacted by some sort of data theft — from fraudulent credit card charges and compromised Social Security numbers to hacked email and social media accounts.

“Criminals are always seeking creative ways to get inside networks and steal data,” said Catherine Policicchio, a spokeswoman for the Pittsburgh FBI office. “We work with government and private sector partners to prevent as many attacks as possible. But we live in a world where bad things sometimes happen. When they do, we will relentlessly pursue justice for those who are harmed.”

Officials from several companies and government agencies provided tips for businesses to try to avoid data breaches including having a plan and procedures in place in case of an attack, constructing timelines for the completion of critical tasks and identifying key decision makers in the company, according to the U.S. Department of Justice’s Cybersecurity Unit.

“Many companies do use recommendations to keep their data safe,” Grieggs said. “There is always a trade-off between available resources for IT security and business needs. Unfortunately, an attacker only needs to be ‘right’ one time to result in a breach. Companies must be right every time to prevent a breach.

“The internet does not have neighborhood or even national boundaries. With this understanding, companies can develop a security program that is appropriate for their situation.”

Megan Tomasic is a Tribune-Review staff writer. You can contact Megan at 724-850-1203, [email protected] or via Twitter .

Categories: Local | Westmoreland
TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.