Capital One breach: lessons universities can learn

Credit cards in jeans pockets.

In late July, a data breach at Capital One Financial compromised the personal data of more than 106 million people, including six million Canadians. This breach is just another example of a very long list of multi-national companies who have been targeted by attackers in recent years, including Equifax in 2017, Marriott in 2018, Facebook in 2019 and the Australian National University in 2019.

How did this breach happen? Capital One runs its credit card services through Amazon Web Services (AWS) and current reports show the cause of the breach was an incorrect firewall configuration. The alleged attacker, Paige Thomson, 33, was able to break through the misconfigured firewall to reach the cloud-based AWS server where Capital One was storing its customer data. AWS had no responsibility in causing or detecting the breach — Capital One was responsible for its firewall configuration and the vulnerability that allowed the attacker unauthorized access.

This incident can serve as a lesson for the University of Toronto (U of T) community as it starts to make use of more third–party computing infrastructure and platform services:

  • Use of third–party cloud storage services does not completely absolve the University from taking responsibility for IT-centric tasks, such as firewall configuration and monitoring or best practice network architecture usage.
  • The University needs to be aware of the way third–party vendors describe the division of responsibility. For example, AWS, Microsoft Azure and other third–party infrastructure and platform providers make it clear in company guidelines, outlining the division of responsibility between the company and its customers.

U of T must also remain wary of how different types of services denote different levels of responsibility for customers:

  • The Infrastructure-as-a-Service (IaaS) offering puts the responsibility for all software patching, upgrading, network configuration and isolation, incident detection and response and data protection on the customer.
  • Platform-as-a-Service (PaaS) puts the responsibility for application patching, network configuration and isolation, incident detection and response and data protection on the customer. Also, PaaS support is less work than IaaS for the customer.
  • Software-as-a-Service (SaaS) often places the responsibility for authentication and authorization to access data on the customer.

For more information and tips on protecting your data, be sure to visit our resources section.