Capital One always said it wasn’t like other banks.
While other financial giants cautiously waded into their own digital transformations, Capital One’s leadership has sought to differentiate the $28 billion bank by investing in technology meant to modernize their business.
The bank has increased its number of technology staffers to 9,000 today from 2,500 in 2011, assigning employees to software engineering, artificial intelligence and building a digital chatbot to automate reminders to customers about when their bills are due or flag unusually large restaurant tips in case they want to rescind them, Rob Alexander, the bank’s chief information officer told the Wall Street Journal last year.
Capital One also was different for its use of Amazon Web Services, a rarity in the financial services industry where most corporate heavyweights simply don’t trust third-parties to store their financial data. At Capital One, the use of AWS was to serve as proof of the bank’s forward-thinking approach to security, with Alexander once telling an AWS summit they could protect data “more securely in the public cloud than even in our own data centers.”
Meanwhile, the firm also has been on a spending spree. Five years ago it acquired Adaptive Path, a San Francisco-based design and user-experience consultancy firm, and a number of other startups, including Critical Stack in 2016. That company, led by cybersecurity veteran Liam Randall, was behind an enterprise security tool that streamlines application development. Soon, Capital One began offering its own version of Critical Stack’s technology.
“We’re in the seventh year of a transformation,” Randall said during a brief interview with CyberScoop last month. “It’s been interesting. As we’ve encountered opportunities in the cloud to think about security at scale, in some cases we’ve been partnering with AWS and in other cases we’re building our own solutions. We’ve had to solve some of these issues as we go.”
That was before Capital One on Monday announced that one individual had accessed names, addresses, self-reported income and other sensitive personal information about roughly 100 million U.S. citizens. The suspect, a former AWS employee named Paige Thompson, also is accused of abusing access to a misconfigured cloud server to access Social Security numbers and bank account information. While it’s too early to know exactly how the apparent insider accessed all this information, Thompson allegedly exploited a firewall to access the troves of information about Capital One customers.
“This could be the result of trying too many new things and forcing them through,” said a cybersecurity executive at a competing financial company not authorized to speak to reporters. “It could have been as simple as [Capital One] only doing a few penetration tests on the firewall, when they should have done more like 100. … But no matter what happened, we have to remember this was a crime that happened against them.”
That mentality, that banking giants and financial companies are exposing themselves and their customers to more cyber risk as they invest in more emerging technologies, is prevalent among security practitioners throughout the industry.
Big banks and financial institutions over the past decade have invested billions of dollars into updating the way they do business, offering customers data-driven services closer to the Silicon Valley-produced convenience than to traditional brick-and-mortar banking. While Capital One has famously converted some bank branches into digital cafes, JP Morgan Chase, Bank of America, Wells Fargo and Citigroup each are slated to spend billions on technology this year, according to a recent UBS survey.
The problem, as Capital One has learned, is that is all could go very wrong.
“Since I joined the bank four or five years ago, [the mentality] has moved from all focused on the trader, like ‘Don’t get in the way of the trader,’ to all about developers,” said W. Patrick Opet, managing director of cybersecurity and technology controls at JP Morgan Chase last month at the SINET Innovation Summit in New York. “Now, it’s ‘Focus on the developer, turn everything into code, and automate everything.’”
Whereas traders would generate income for banks by offering investment advice, selling securities and other products in connection with acquisitions, customers’ shift to online banking has made software the priority. It’s not just banks. Venmo, bought in 2013 by PayPal, is projected to bring in an annual revenue of $200 million, despite widely reported fraud issues, and the stock trading service Robinhood has a $5.6 billion valuation, even if it sometimes fails to store passwords in a secure way.
“A lot of [security development] is being put on the shoulders of developers, and they need to do [things] quickly and be more nimble,” Mark Nicholson, cyber leader for the financial industry at Deloitte. “The business drives technology in a certain direction, and very rarely is [security] leading in that. … There have been some breaches associated with that. These changes have exposed some weaknesses in the development methodology, overall.”
Chase spends $600 million annually on cybersecurity measures, including everything from artificial intelligence tools to the cloud, CEO Jamie Dimon has said. But relatively simple open-source vulnerabilities — like an Apache Struts bug that enabled the Equifax data breach set to cost that company more than $1 billion — could undercut much of the spending on data protection.
“It is mind blowing that, as companies move more toward open source, [that] someone could get into our systems through a backdoor,” Opet said. “It’s not even malware … an insecure supply chain is a huge problem.”