A Case Study of the Capital One Data Breach

Abstract

In an increasingly regulated world, with companies prioritizing a big part of their budget for expenses with cyber-security protections, why have all of these protection initiatives and compliance standards not been enough to prevent the leak of billions of data points in recent years? New data protection and privacy laws and recent cyber-security regulations, such as the General Data Protection Regulation (GDPR) that went into effect in Europe in 2018, demonstrate a strong trend and growing concern on how to protect businesses and customers from the significant increase in cyber-attacks. Are current legislation, regulations and compliance standards sufficient to prevent further major data leaks in the future? Does the flaw lie in the existing compliance requirements or in how companies manage their protections and enforce compliance controls? The purpose of this research was to answer these questions by means of a technical assessment of the Capital One data breach incident which occurred at one of the largest financial institutions in the U.S. This incident was selected as a case study to understand the technical modus operandi of the attack, map out exploited vulnerabilities, and identify the related compliance requirements, that existed. The National Institute of Standards and Technology (NIST) Cyber-security Framework, version 1.1, as a basis for analysis because it is required by the regulatory bodies of the case study and it is an agnostic framework widely used in the global industry to provide cyber threat mitigation guidelines. The results of this research and the case study will help government entities, regulatory agencies, companies and managers in understanding and applying recommendations to establish a more mature cyber-security protection and governance ecosystem for the protection of organizations and individuals.