The Latest Mass Data Breach

What Law Firms Should Know

On July 29, Capital One, a major issuing bank in the US market, reported a large-scale security breach in their network. The Capital One hack resulted in the exposure of personal data connected to more than 100 million credit applicants in the US and 6 million in Canada.

This isn’t the biggest security breach in history. The Equifax hack perpetrated back in September 2017, for instance, exposed the personal financial information of 145 million Americans. That said, the news about Capital One is still a serious matter.

As a law firm, you need to understand the ramifications of this latest incident, and what to do about it.

2019 Capital One Hack: The Details (CBC News, 2019)

The Capital One data breach didn’t happen in a vacuum: a former Amazon Web Services engineer who had performed contract work with the bank carried out the attack. Using her knowledge of the company’s systems, alleged attacker Paige Thompson managed to access Capital One’s internal network.

Thompson allegedly exploited a vulnerability resulting from the bank misconfiguring a web application firewall. As a result, she was able to steal a massive cache of data from the servers Capital One used to store consumer data.

This personal information came from roughly 100 million US residents, plus an additional 6 million people in Canada. While the attacker didn’t get access to the same information for every victim, some of the data she managed to steal included:

  • Full Name
  • Street Address
  • Zip/Postal Code
  • Phone Number
  • Email Address
  • Date of Birth
  • Self-Reported Income
  • Credit Scores
  • Account Balances

Even worse, the attack reveled the Social Security numbers of some 140,000 Americans, plus 80,000 bank account numbers and 1 million Canadian social insurance numbers.

While the suspect was located and apprehended almost immediately, a high percentage of the compromised data has likely already made its way online. This holds serious potential consequences—not only for the bank, but for the entire marketplace.

Post-Breach Fraud Attacks are Coming

So, what are the likely ramifications of the Capital One hack? Initially, there will be a spike in fraud cases. This will come about through a primary tactic:

LAW FIRM ACCOUNT TAKEOVER

Account takeover is a threat Vancouver law firms face constantly. The hacker either guesses or purchases the users login info from a previous breach, and accesses the firms network. The fraudster doesn’t need to have access to all consumer data on hand to carry out the account takeover. In fact, fraudsters often begin with partial data and either guess, or find other ways to reveal any other necessary information.

This tactic involves a third party who uses stolen account details to access a user’s business accounts. Once inside, the hacker will typically install a “cryptolocker” on the law firms network, encrypting all data and rendering the network useless. The hacker then demands ransom payment in exchange for decrypting the data. The financial and reputational ramifications of this cannot be overstated.

One of the main reasons for the surge in account takeover attacks is that consumers reuse login credentials. If one individual account is compromised, it means any account using those credentials, in part or in whole, can also be compromised.

What Should Law Firms Do?

From a long term security and firm-wide policy perspective, we recommend reading and implementing the recommendations in this whitepaper, 10 Steps to Preventing IT Downtime for Law Firms: bmcnetworks.ca/whitepaper. In this document, you’ll find our top 10 security tips for our active and prospective clients.

From a security perspective, we recommend your firm has a network assessment immediately if you’re not an existing client, to identify if any breaches have already occurred. To book an assessment, go to bmcnetworks.ca/assessment