Fortune magazine four years ago published what easily ranks among the best investigative features of all time, an in-depth examination of the devastating cyberattack launched against Sony Pictures. The attack erased everything stored on about half of Sony’s personal computers and servers. A deleting algorithm overwrote the data seven different ways, disabling all of Sony’s computers. Extensive proprietary information, including a not yet released film and damaging emails, found their way onto the internet.
The feature forever changed my perception that companies go to great lengths to protect sensitive data. Fortune made clear that Sony pretty much had the welcome mat out for hackers. How lax was security? A group of sales persons to the company’s information security department was left unattended for 15 minutes in a room with logged in computers connected to Sony’s global data network.
Fortune’s story contained one egregious error, the headline: “Inside the Hack of the Century.” Yahoo had already experienced a much bigger data theft, but then CEO Marissa Mayer kept it under wraps for two years until she was forced to disclose the breach when Verizon began its due diligence to buy the moribund company. Mayer, an engineer who one might expect would excel at cybersecurity, still walked away with a $260 million severance package.
Security breaches are now almost as common as Donald Trump’s provocative tweets. But the public has become inured to them, even when they involve institutions that should be at the vanguard of data protection, like Equifax and the IRS. Capital One is the latest to announce a major data theft and there are some wrinkles to the heist that should spark public outrage not only about the porous state of America’s data networks but also America’s healthcare system where the mentally ill have to commit crimes to get medical help.
The Capital One breach was allegedly committed by a suicidal transgender engineer named Paige A. Thompson who previously worked for Amazon’s highly profitable cloud-computing division. According to the Wall Street Journal, Thompson accessed the data through a “misconfigured firewall,” which I understand is techspeak for an improperly secured opening in Capital One’s data network.
Gartner more than two years ago warned that that more than 95 percent of firewall breaches would be caused by firewall misconfigurations. What’s shocking is why these misconfigurations are commonplace. Canadian engineer Kyle Wickert published this advisory four years ago:
Firewalls are often set up with an open policy of allowing traffic from any source to any destination. This is because IT teams don’t know exactly what they need at the outset, and therefore start with broad rules and work backwards. However, the reality is that due to time pressures or simply not regarding it as a priority, they never get round to defining firewall policies. This leaves the network in a perpetually exposed state (emphasis mine).
It’s not clear to me how much skill was required for Thompson to penetrate Capital One’s network, though it would seem that she’s technically more proficient analyzing security flaws than Yahoo’s Mayer. What is clear is that Thompson was in need of psychiatric care and her motivation for stealing Capital One’s data was to get caught and hopefully committed to a mental institution.
“I have a whole list of things that will ensure my involuntary confinement from the world,” she said in one tweet. “The kind that they can’t ignore or brush off onto the crisis clinic. I’m never coming back.” In another tweet she wrote: “I’ve basically strapped myself with a bomb vest. F-king dropping capital ones dox and admitting it.” Thompson also tweeted she planned to go to Denmark in October for legally assisted suicide.
Most alarming of all is that Thompson had Capital One’s sensitive data for several months, but the company only discovered it was stolen after a Good Samaritan hacker sent an email notifying them of Thompson’s online musings. One might expect that major corporations and the government monitor online hacker sites for this sort of information but apparently, they don’t.
The U.S. Customs and Border Protection disclosed in June that it had been hacked and photos of people’s faces and license plates had been compromised. The agency learned of the theft from its sub-contractor, who in turn learned about it from its subcontractor. Who knew that data security was all about affinity marketing? Remarkably, a British technology website The Register reported on the theft a month before CBP confirmed it.
The public mistakenly believes that companies are “victims” of data theft when often it’s simply the result of negligence, incompetence, or an overtaxed IT department. There are no long-term consequences for the safety disregard: Richard Smith, Equifax’s former CEO, walked away with his full $90 million retirement package despite Sen. Chuck Schumer declaring the company’s data theft “one of the most egregious examples of corporate malfeasance since Enron.”
Here’s my surefire, frontier justice solution to put an end to data breaches, an idea sparked by Rep. Katie Porter. Companies that experience data breaches should be required to prominently disclose on their websites the birthdays, addresses, and social security numbers of their entire senior management and their board of directors. I’m confident this requirement alone will make cybersecurity the most prominent focus of every board meeting.
As for Ms. Thompson, it’s not clear that she sold Capital One’s data to nefarious third parties or benefited financially from her theft. If that proves to be the case, I say Capital One should publicly thank her for spotting its network security hole, get and pay for the medical help she needs, and then appoint her vice president for firewall configuration.