Proper Tokenization and Encryption Would Have Saved Capital One From A Potential Billion Dollar Loss

We Need To Stop Finger Pointing … And Better Articulate “Good” from “Bad” Practice

--

The overall cost of the Capital One loss is not apparent yet, but in terms of others that have happened recently, they could be looking at over one billion dollars. This hack was no BA, Equifax (with systems that were over 40 years old) or TalkTalk hack, it was against a company with good levels of investment in technology, and with the very latest infrastructure.

So what happens when you keep telling the world that data breaches could be solved by encryption and tokenization, and then the company gets hacked? Well, you analyse and see what the problem is, and pin-point how it could be improved. From what I see from the breach report, the scope of the breach has been limited by the usage of encryption and tokenization, but the actual implementation of these methods is more of a checkbox approach than a proper integration.

We operate, we learn, we improve.

Well, as security professionals, we are not great at trying to articulate facts behind data breaches. We often just post new items, and then point and say “There you go again”. For many, they are just relieved…

--

--

Prof Bill Buchanan OBE FRSE
ASecuritySite: When Bob Met Alice

Professor of Cryptography. Serial innovator. Believer in fairness, justice & freedom. Based in Edinburgh. Old World Breaker. New World Creator. Building trust.