A Case Study of the Capital One Data Breach

Working Paper CISL# 2020-16

21 Pages Posted: 28 Apr 2020

See all articles by Nelson Novaes Neto

Nelson Novaes Neto

MIT Sloan School of Management

Stuart Madnick

Massachusetts Institute of Technology (MIT) - Sloan School of Management

Anchises Moraes G. de Paula

C6 Bank

Natasha Malara Borges

C6 Bank

Date Written: March 1, 2020

Abstract

In an increasingly regulated world, with companies prioritizing a big part of their budget for expenses with cyber security protections, why have all of these protection initiatives and compliance standards not been enough to prevent the leak of billions of data points in recent years? New data protection and privacy laws and recent cyber security regulations, such as the General Data Protection Regulation (GDPR) that went into effect in Europe in 2018, demonstrate a strong trend and growing concern on how to protect businesses and customers from the significant increase in cyberattacks. Does the flaw lie in the existing compliance requirements or in how companies manage their protections and enforce compliance controls? The purpose of this research was to answer these questions by means of a technical assessment of the Capital One data breach incident, one of the largest financial institutions in the U.S. This case study aims to understand the technical modus operandi of the attack, map out exploited vulnerabilities, and identify the related compliance requirements, that existed, based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, version 1.1, an agnostic framework widely used in the global industry to provide cyber threat mitigation guidelines. The results of this research and the case study will help government entities, regulatory agencies, and companies to improve their cyber security controls for the protection of organizations and individuals.

Suggested Citation

Novaes Neto, Nelson and Madnick, Stuart E. and Moraes G. de Paula, Anchises and Malara Borges, Natasha, A Case Study of the Capital One Data Breach (March 1, 2020). Working Paper CISL# 2020-16, Available at SSRN: https://ssrn.com/abstract=3570138 or http://dx.doi.org/10.2139/ssrn.3570138

Nelson Novaes Neto

MIT Sloan School of Management ( email )

100 Main Street
Cambridge, MA 02142
United States
617-253-1000 (Phone)

Stuart E. Madnick (Contact Author)

Massachusetts Institute of Technology (MIT) - Sloan School of Management ( email )

E53-321
Cambridge, MA 02142
United States
617-253-6671 (Phone)
617-253-3321 (Fax)

Do you want regular updates from SSRN on Twitter?

Paper statistics

Downloads
1,728
Abstract Views
4,696
rank
13,878
PlumX Metrics