Poor Data Governance Cost Capital One $80 Million

Poor Data Governance Cost Capital One $80 Million

Last year, Capital One showed the world why data governance is so important when it was the victim of a massive data breach that exposed the personal data of 106 million customers. It is still one of the biggest hacks ever recorded, and the company has now been fined $80 million by banking regulators. A “what’s in your wallet” meme would work great here, but let’s keep this classy. 

The breach was huge, but it turns out it was not the result of complex, esoteric, underworld hacking. The damage was done by a former Amazon Web Services (AWS) employee who discovered and then posted the data in a GitHub repository. It lived in GitHub for months before being discovered. The exposed data, collected from 700 folders, included names, Social Security numbers, bank accounts, email addresses, credit scores, payment histories, self-reported income, and other private financial and demographic data. 

In addition to the massive fine is the damage done to the Capital One brand and the erosion of trust among its customers. The American Banker’s annual bank reputation survey shows that the reputation of the bank dropped from 2018 to 2019 among both customers and non-customers. The credit rating agency of S&P also dropped their rating of Capital One from “stable” to “negative.” This isn’t intended to point fingers at Capital One, but because of its size, and the size of the breach, there are significant lessons to be learned. 

It’s easy to point fingers and preach the old “I told you so” saws, but $80 million should get your attention, especially because this was avoidable. And to be clear, it was avoidable without adding specialized security experts or layers of security tools to maintain data governance, as are most data breaches. Companies need to recognize that governance starts with insight into the data they’re collaborating with and storing, understanding of how it’s being used, and having a baseline for normalized vs. anomalous behavior. Creating behavioral and procedural discipline around these actions and applying the right automation to it is at the heart of protecting every company’s most important asset — content.

Insider threats, ransomware, phishing…this stuff is no longer news; it’s a form of extortion that many feel helpless against. But all of these types of hacks are really just the result of malicious code looking for an entry point. Thwarting hacks requires understanding how to prevent it from gaining access or identifying it before it can do major damage. 

And like Capital One, Equifax, British Airways, and so many others have learned, companies cannot treat data with rudimentary, irregular, manual “pass/fail” audits to determine where compliance and security gaps exist and how their existence impacts sensitive content. Actual risk reduction and compliance adherence demand that IT teams have awareness about the data they own and how that data is used. Automation provides this and other necessary benefits, including:   

  • Visibility and analytics: Awareness and context are the starting points for security and compliance. Rules can be configured by IT teams govern acceptable data usage and collaboration. With automation, teams have continuous awareness of behavioral patterns across content repositories.
  • Scale and pace: Every company has an ever-increasing data footprint which increases user activity which then increases the potential for misuse of data. Compliance requirements change over time as well, and updates to controls are not always performed uniformly; when they’re not, it needs to be addressed. Compliance automation is the most effective way to manage the scale and pace of change; manual efforts will fail and could lead to even more compromises if undetected. 
  • Cohort analysis: Data repositories are filled with all kinds of discrete entities performing the same task. Workflows send tasks to multiple, and often identical, repositories for the same content asset.  When files are findable and accessible from a single source, groups can identify who is accessing and collaborating on each asset.
  • Compliance requirements and baseline: Automating compliance starts with a awareness about what constitutes acceptable behavior according to the framework’s list of controls. That is used to detect behavioral anomalies that occur in a way that is abnormal for the baseline.
  • Change detection: Once a policy has been updated, it also requires some form of codification of it. Change detection enables you to make note of it.

Content is dynamic and performs in an always-on manner. Mitigating risk and adhering to compliance standards can no longer work with a checklist and an internal team. Companies that aren’t applying automation as part of their compliance approach have only limited visibility and put their businesses at great potential risk. With an effective content services compliance strategy that uses automation, companies can cover and protect the data under their responsibility.

Gartner said, “Through 2022, at least 95% of cloud security failures will be the customer’s fault…”. Never known for hyperbolic restraint, Gartner still points out a very prescient fact: your data is your responsibility. Well, yeah, that’s understood but it can be hard to know where to start your data governance strategy. We have some tips to show you fairly simple steps you can take that will have far-reaching impact across your organization. First off, dive deeper into compliance automation. Then, consider some specific policies you can build into your organization to reduce ransomware and insider threats.

Photo by Simon Shim on Unsplash

Latest posts