Monthly Cloud Security Roundup: The Capital One Data Breach, CCPA’s Influence on US Privacy Laws, and More
Each month, we’ll bring you some of the most compelling cloud and Salesforce security-related stories from the last four weeks. In this post, we discuss the Capital One data breach, British Airways’ GDPR fines, and more.
Federal prosecutors announced that a hacker broke into a server containing Capital One customer information and gathered 140,000 Social Security numbers, 80,000 bank account numbers, tens of millions of credit card applications, and millions of Canadian social insurance numbers. According to the FBI, the hacker took advantage of a misconfigured firewall on a web application to gain access to sensitive information. The hacker then communicated with the Capital One server where the data was stored to obtain customer records.
Exposing 106 million customers in both the United States and Canada, the Capital One data breach is one of the worst hacks against consumers on record. If you applied for a credit card after 2005, you might be affected. Here’s what you can do in the aftermath of the breach:
- Take advantage of the free credit monitoring and identity protection that Capital One is offering to affected customers
- Contact Equifax, Transunion, or Experian to freeze your credit
- Change your banking passwords and enable multifactor authentication
“I sincerely apologize for the understandable worry this incident must be causing those affected, and I am committed to making it right.” – Capital One CEO Richard D. Fairbank
With CCPA slated for enactment on January 1, 2020, organizations across the globe are reviewing their privacy policies and working hard to meet compliance regulations by the end of the year. CCPA aims to provide California citizens with greater autonomy over their personal data and privacy, and it’s expected to create a wake of similar privacy laws in other US states.
Many industry experts expect to see states following California’s lead in the future, particularly due to the far-reaching nature of CCPA. As the legislation currently stands, any organization of a certain size managing the personal information of California citizens – regardless of whether or not the company is physically located in California – is subject to CCPA’s regulations. What this means for security and privacy professionals is that they must heed the law’s influence, since they may be liable. And, just because organizations are GDPR-ready, that doesn’t automatically make them CCPA compliant as well. As new privacy demands take the nation by storm, companies managing US citizens’ personal data can expect more laws modeled after CCPA in the future.
After a breach affected 500,000 airline customers, the Information Commissioner’s Office (ICO) is fining British Airways $230 million (£183.4 million) for violating GDPR – a record fine since the regulation was enacted. The breach occurred when visitors to British Airways’ website were diverted to a fraudulent site where their personal information – including names, addresses, emails, and payment information – was harvested. During the initial breach disclosure, the report stated that the breach occurred sometime between August and September 2018 and impacted nearly 400,000 card payments. In addition, the company later added that the information of the 180,000+ people who booked between April and July might also have been compromised.
“When you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.” – ICO Commissioner Elizabeth Denham
Salesforce announced a new partnership with Alibaba – one of the largest e-commerce companies in the world – who will operate core services for Salesforce in the Asia region. Alibaba is projected to boost Salesforce’s market reach by localizing the CRM tools and selling in the Chinese region. The union will enable Salesforce to break into the Chinese market, where other notable American companies like Google and eBay have struggled amidst the tech war between China and the US. According to Salesforce, the partnership will bring Sales Cloud, Service Cloud, Commerce Cloud, and the Salesforce Platform to customers in mainland China, Hong Kong, Macau, and Taiwan.
The US Coast Guard issued a marine safety alert to the naval community, warning them of potentially severe cybersecurity incidents onboard ships. A malware attack reportedly affected a deep draft vessel in February, while another series of incidents in May arrived in the form of phishing attempts –fraudulent emails disguised as legitimate correspondence from a trusted party used to obtain personal information like passwords or credit card numbers. The emails appeared to come from the official US Port State Control (PSC) account and contained malware that spread throughout commercial vessels. The emails specifically targeted ship operators and have caused disruptions to shipboard computer systems. The aftermath from the malware attack in February caused significant degradation of the ship’s network’s functionality.
In response to the malware attacks, the US Coast Guard hopes their warnings put mariners on alert, but they also issued a list of best practices for preventing cybersecurity attacks at sea.
“Maintaining effective cybersecurity is not just an IT issue, but is rather a fundamental operational imperative in the 21st century maritime environment.” – US Coast Guard
Consistently in the news for privacy concerns, Facebook has agreed to settle with the FTC over privacy concerns by paying a record $5 billion. $5 billion may seem like a lot, but it’s a small fraction of Facebook’s $56 billion in revenue reported in 2018. The FTC’s multi-year investigation alleges the company is responsible for privacy violations like failing to protect users’ data and failing to change questionable – yet lucrative – business practices.
The settlement agreement with the FTC calls for Facebook CEO Mark Zuckerberg to forfeit sole control over privacy decisions. Instead, an independent privacy committee – comprised of directors on Facebook’s board – will have oversight and final authority over company privacy policies. Facebook will also be required to establish tighter control over third-party applications, routinely check for unencrypted passwords, and refrain from using phone numbers collected for security reasons for advertising. The FTC also calls for the company to conduct privacy reviews, obtain privacy certifications, and undergo regular assessments.