100 Million People In The U.S. Affected By Capital One Data Breach NPR's Ari Shapiro talks with Robert Knake of the Council on Foreign Relations about a Capital One data breach that compromised personal information of nearly 100 million Americans.
NPR logo

100 Million People In The U.S. Affected By Capital One Data Breach

  • Download
  • <iframe src="https://www.npr.org/player/embed/746687015/746687016" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
100 Million People In The U.S. Affected By Capital One Data Breach

100 Million People In The U.S. Affected By Capital One Data Breach

100 Million People In The U.S. Affected By Capital One Data Breach

  • Download
  • <iframe src="https://www.npr.org/player/embed/746687015/746687016" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

NPR's Ari Shapiro talks with Robert Knake of the Council on Foreign Relations about a Capital One data breach that compromised personal information of nearly 100 million Americans.

AUDIE CORNISH, HOST:

We begin this hour with a line that sounds familiar by now. There's been a massive data breach that's compromised sensitive information for millions of people. This one happened at Capital One. The bank says the hack affected about a hundred million people in the U.S. and another 6 million in Canada. It's one of the largest data thefts from a bank ever.

ARI SHAPIRO, HOST:

The woman accused of the hack is a software engineer and former Amazon employee. According to Capital One, the information she stole includes tens of thousands of Social Security and bank account numbers. Robert Knake is here to put this hack into context. He's a senior fellow for cyber policy at the Council on Foreign Relations.

Welcome.

ROBERT KNAKE: Good to be with you.

SHAPIRO: Now, Capital One says it's unlikely that any of the information stolen in this hack was used for fraud or shared. How worried should the millions of Capital One customers who were compromised be about this?

KNAKE: Well, at this point, based on what we know from the indictment, we don't believe that the information was shared publicly or shared with anyone in the criminal underworld. It's believed that this individual was hacking to show that she could do it, to expose security flaws but was not hacking with the intent of stealing this data and using it to generate criminal income.

SHAPIRO: Capital One was alerted to the breach by a tipster who wrote to the bank's security hotline in mid-July. Does it concern you that the bank didn't discover the leak on its own?

KNAKE: Well, I think that's one of the more disturbing features of this. I think some praise is owed to Capital One for their rapid response and their ability to quickly deal with this vulnerability and secure their systems. But on the other hand, someone had access to this data for several months. And they didn't detect what was a hundred million individuals' data being exfiltrated and what amounted to about 30 gigabytes of data exiting through their network. So yeah, I think it does call into question why they weren't able to detect this on their own.

SHAPIRO: I know that consumers may feel from the (unintelligible) like all of the companies in the world are getting hacked all the time. But your research shows that there are actually a lot of companies that have taken the appropriate steps to make sure that their private information is not compromised. And so when we hear about a Capital One or Equifax or another big company losing customers' private information, do you think that's something they should have been able to prevent?

KNAKE: I mean, in this case, most definitely. What we've been focused on is the fact that it really is starting to take very advanced capabilities to target many U.S. corporations. In this case, it feels like a throwback. A lone hacker was able to take advantage of a single misconfigured firewall in order to exfiltrate the data. That is not what's supposed to happen in 2019, where you're supposed to have multiple layers of security, you're supposed to have the ability to detect and respond rapidly. In this case, Capital One was unable to do any of those things.

SHAPIRO: Do you think there are harsh enough consequences for companies that make these kinds of missteps? Is there enough of a deterrent to keep them from doing it again or keep other companies from making the same mistake?

KNAKE: If the consequences for this kind of data loss were really going to be severe, Capital One never would have let this happen in the first place. If they were really worried about the concerns of having an unsecured pool of data like this, they would've been monitoring externally for it. They would have been watching these forums where discussions about these kinds of breaches take place. They would have discovered this on their own. And so no, I don't think the incentives are there to get companies to care about security in the way they need to be.

SHAPIRO: So is it appropriate for us to view these companies as victims in a breach like this? Or do you think that language sort of misconstrues it?

KNAKE: The ultimate victim here isn't Capital One. The ultimate victim here are the people who applied for these credit cards, who offered up their personal information, who linked their bank accounts to Capital One and now are going to be dealing with the consequences of Capital One's poor security for years. And so I don't think Capital One should be viewed as a victim here. I think they were a custodian of this data, and they needed to be responsible for protecting it.

SHAPIRO: That's Robert Knake of the Council on Foreign Relations. He is co-author of a new book called "The Fifth Domain: Defending Our Country, Our Companies, And Ourselves In The Age Of Cyber Threats."

Thanks a lot.

KNAKE: Thank you.

Copyright © 2019 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.