Capital One breach a win for crowdsourced cybersecurity
When Ali Tutuncu found a vulnerability in Capital One Financial Corp.’s software in March, the company fixed the flaw in 20 days. An independent security researcher, Tutuncu said the bank thanked him and added him to its page of fame.
“They did not pay financially,” he said. “Still, it was a nice experience.”
Capital One is among a relatively small group of major companies that are encouraging the typically anti-establishment hacker community — and security researchers too — to find potential vulnerabilities in their computer networks before malicious hackers do. Some of the programs offer cash rewards, called bug bounties, of as much as $200,000.
The bank is crediting its Responsible Disclosure Program with helping them track down a Seattle woman who had allegedly infiltrated their computer network. Paige Thompson, 33, allegedly accessed a massive amount of data: more than 100 million people, including names, addresses, dates of birth and about 140,000 Social Security numbers.
That’s a black eye for a company that’s touted its tech savviness, and the hack has sent Capital One Shares tumbling 11% in the last week. But it appears the damage could have been worse: Capital One said it was unlikely the information was used for fraud or disseminated to others.
Thompson was charged on July 29 with computer abuse and fraud. Her arrest marks a major success for cyber tip lines, and one that is likely to encourage other companies to start their own. Paul Benda, senior vice president of risk and cybersecurity policy at the American Bankers Association, said he couldn’t recall tip that was wrapped up so quickly.
“From the time they submitted, to the time it was shut down to the time there was an arrest, there’s no example I think that comes close to that,” he said.
Alex Rice, co-founder and chief technology officer of HackerOne Inc., which manages “hacker-powered security” platforms for Capital One and other companies, said, “Usually vulnerability disclosure programs are not uncovering criminal activity. But it is phenomenal that it works out that way.”
Jennifer Bayuk, a former risk cybersecurity executive at several major banks including JP Morgan Chase & Co., said if banks don’t already have vulnerability disclosure programs, they are likely looking at them now. “They’re probably looking at the Capital One news and meeting with legal as we speak.”
There appears to be plenty of room for growth. A 2018 HackerOne report concluded that 93% of the world’s largest public companies don’t have a policy to handle “critical bug reports” submitted by outsiders.
The tip that led to Thompson’s arrest came in on July 17, when an unnamed “external security researcher” emailed Capital One’s disclosure program saying that leaked data was being stored on a publicly accessible file at GitHub, which allows users to manage and store software projects.
Capital One provided few details when asked about its cyber tip line. A public page about the bank’s program at HackerOne shows that it has received at least 30 reports of security flaws since it started in January. HackerOne declined to say how many of those reports were validated security flaws.
“White Hat” hacker programs have been around for years, but they have become more formalized as the volume and severity of threats has increased. Some companies manage their own vulnerability disclosure efforts. Companies like HackerOne and BugCrowd offer services to analyze incoming tips and, if warranted, pass them on to their client’s security team.