The Capital One data breach in late July, which affected 106 million customers, is a bombshell even in the world of crisis management that focuses on managing bombshells!
And it landed in the same week that several developments were announced by Equifax, reminding us of the catastrophic loss of sensitive consumer data that it suffered in 2017.
It all serves to underline that cyber security is a risk scenario that must be anticipated and managed by virtually every organization in the country.
How long is it since you last updated the data security responses and protocols in your issues and crisis management toolkit?
The Capital One situation left many other financial institutions desperately searching for clues about what happened, in case they are facing the same threat.
Capital One, like many other banks, eventually embraced cloud computing, having stayed on the sidelines initially because of security concerns. Now, many are wondering whether they were right in partnering with third party cloud computing vendors.
According to the Wall Street Journal’s reporting, court documents revealed that a Capital One error led to the breach.
However, the alleged hacker who appeared in court on July 30th was a former employee at Amazon’s web services unit, the world’s largest cloud-computing business.
It’s not yet clear that she used inside information to commit the alleged crime – but it has certainly raised a giant question mark.
It was an odd, but timely, coincidence that Equifax was in the news in the hours that followed the revelations about the Capital One breach.
You will recall that Equifax, the giant consumer credit reporting agency, suffered its catastrophic data loss in July 2017 – though it did not reveal the breach until three months later, at which point its customer service systems were completely overwhelmed by the highly predictable rush of very worried consumers trying to protect themselves from the illegal use of their personal information.
Since then Equifax has been through a legal, regulatory and reputation grinder, an example of how not to manage a crisis.
Now the company is promising that it has become a model of best practices in cybersecurity defenses – an example to others of how to protect consumer data.
We shall see!
But the lessons of Capital One and Equifax remind us how hard it is to stay on top of new and emerging risks in data security – risks made only greater if we neglect the fundamentals of regularly updating the issues and crisis response protocols for our own organizations.
