BLOOMINGTON, Ind. — In one of the largest thefts of data from a bank, a software engineer in Seattle hacked into a server holding customer information for Capital One and obtained the personal data of over 100 million people. This follows last week’s settlement by the credit bureau Equifax after a 2017 data breach exposed sensitive information on over 147 million consumers, costing it about $650 million. IU experts in cybersecurity are available to speak with news media.
Fred H. Cate is vice president for research, Distinguished Professor, C. Ben Dutton Professor of Law and adjunct professor of informatics and computing at Indiana University. He specializes in information security and privacy law, and he appears regularly before Congress and government agencies on these subjects.
“This breach — like the vast majority of all breaches — was preventable,” Cate said. “The techniques used were common and predictable, and most of the data was already ‘out there,’ available for free or for purchase online. The bigger issue isn’t the misuse of personal data, but rather our growing reliance on data to fly airplanes, drive cars, manage home and office security, run our financial system and a thousand other critical uses, all while we are incapable of securing the data or the systems that rely on them. The simple truth is that so far we are unable to secure any data absolutely.
“The good news in the case of Capital One is most of the data involved is fairly innocuous: name, address, credit card number,” he added. “These data are rarely used to cause significant consumer harm, and the harm they might cause is often easily addressed. For example, credit card companies cover fraudulent charges, and federal law provides consumers the right to freeze their credit reports for free so that new credit accounts can’t be opened in their name without permission. All of the data we have suggests that the larger the breach, the less likely that an individual will be victimized as a result.”
Scott J. Shackelford serves on the faculty of Indiana University, where he is Cybersecurity Program chair, director of the Ostrom Workshop Program on Cybersecurity and Internet Governance, and associate professor of business law and ethics at the IU Kelley School of Business. He is a senior fellow at IU’s Center for Applied Cybersecurity Research, academic director of the IU Cybersecurity Clinic and a term member at the Council on Foreign Relations.
“The data breach at Capital One highlights the need for the offices in charge of cybersecurity and human resources staffs at major firms to get on the same page and identify disgruntled employees before it’s too late,” Shackelford said. “In terms of how consumers can respond, it’s important to remember there’s a lot we can do to make it less likely that we’ll be a victim of identity theft stemming from a major breach. This includes requesting preemptive fraud alerts or credit freezes with all three credit reporting agency accounts, which will prohibit others from taking out loans or new credit cards in your name.”
Shackelford added that the vulnerabilities shown by this type of major cyberattack highlights the need for an all-of-the-above approach to cybersecurity, such as the establishment of a National Cybersecurity Safety Board.