A Case Study of the Capital One Data Breach

Novaes Neto, Nelson; Madnick, Stuart; Moraes G. de Paula, Anchises; Malara Borges, Natasha

doi:10.2139/ssrn.3542567

Download This Paper

Open PDF in Browser

Add Paper to My Library

A Case Study of the Capital One Data Breach

25 Pages Posted: 17 Mar 2020

See all articles by Nelson Novaes Neto

Stuart Madnick

Massachusetts Institute of Technology (MIT) - Sloan School of Management

In an increasingly regulated world, with companies prioritizing a big part of their budget for expenses with cyber-security protections, why have all of these protection initiatives and compliance standards not been enough to prevent the leak of billions of data points in recent years? New data protection and privacy laws and recent cyber-security regulations, such as the General Data Protection Regulation (GDPR) that went into effect in Europe in 2018, demonstrate a strong trend and growing concern on how to protect businesses and customers from the significant increase in cyber-attacks. Are current legislation, regulations and compliance standards sufficient to prevent further major data leaks in the future? Does the flaw lie in the existing compliance requirements or in how companies manage their protections and enforce compliance controls? The purpose of this research was to answer these questions by means of a technical assessment of the Capital One data breach incident which occurred at one of the largest financial institutions in the U.S. This incident was selected as a case study to understand the technical modus operandi of the attack, map out exploited vulnerabilities, and identify the related compliance requirements, that existed. The National Institute of Standards and Technology (NIST) Cyber-security Framework, version 1.1, as a basis for analysis because it is required by the regulatory bodies of the case study and it is an agnostic framework widely used in the global industry to provide cyber threat mitigation guidelines. The results of this research and the case study will help government entities, regulatory agencies, companies and managers in understanding and applying recommendations to establish a more mature cyber-security protection and governance ecosystem for the protection of organizations and individuals.

Suggested Citation: Suggested Citation

Novaes Neto, Nelson and Madnick, Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (January 1, 2020). Available at SSRN: https://ssrn.com/abstract=3542567 or http://dx.doi.org/10.2139/ssrn.3542567