A Case Study of the Capital One Data Breach
Working Paper CISL# 2020-16
21 Pages Posted: 28 Apr 2020
Date Written: March 1, 2020
Abstract
In an increasingly regulated world, with companies prioritizing a big part of their budget for expenses with cyber security protections, why have all of these protection initiatives and compliance standards not been enough to prevent the leak of billions of data points in recent years? New data protection and privacy laws and recent cyber security regulations, such as the General Data Protection Regulation (GDPR) that went into effect in Europe in 2018, demonstrate a strong trend and growing concern on how to protect businesses and customers from the significant increase in cyberattacks. Does the flaw lie in the existing compliance requirements or in how companies manage their protections and enforce compliance controls? The purpose of this research was to answer these questions by means of a technical assessment of the Capital One data breach incident, one of the largest financial institutions in the U.S. This case study aims to understand the technical modus operandi of the attack, map out exploited vulnerabilities, and identify the related compliance requirements, that existed, based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework, version 1.1, an agnostic framework widely used in the global industry to provide cyber threat mitigation guidelines. The results of this research and the case study will help government entities, regulatory agencies, and companies to improve their cyber security controls for the protection of organizations and individuals.
Suggested Citation: Suggested Citation