Security News Survey – August 2, 2019

This week, we look at data breaches at Capitol One and a major textbook publisher, as well as an unsecured Honda database.

Just one week after the historic Equifax settlement, we have already seen another massive data breach impacting millions of Americans and Canadians. Let’s take a look. 

Capital One data breach exposes more than 100 million credit card applicants

Major U.S. bank Capital One disclosed a data breach affecting nearly 106 million customers in the U.S. and Canada. According to reports, the data breach occurred when a hacker leveraged a firewall misconfiguration to gain access to Capital One database containing customer information. Compromised data includes contact information, dates of birth, credit scores, account numbers, etc., of credit applicants between 2005 and 2019. Capital One themselves did not detect the data breach; instead, the company was made aware by a third party. The hacker, a former Amazon Web Services employee, was discovered after she boasted about exfiltrating Capital One customer information on various social media platforms. She has since been taken into custody. 

Capital One has confirmed that it is contacting affected individuals and will be facilitating credit monitoring and identity theft services for those impacted by the data breach. Fresh off the heels of the Equifax settlement, this week’s breach is already stirring controversy in the public arena. Top Republicans in the House Oversight and Reform Committee have already issued a demand for public briefings from both Capital One and Amazon Web Services explain the circumstances of this breach. 

Major textbook publisher data breach impacts thousands of students

Pearson, one of the world’s largest educational publishing and software companies, confirmed this week that it has suffered a major data breach. Approximately 13,000 school and university AIMSweb (Pearson’s student monitoring and assessment platform) accounts were compromised in the data breach, with some accounts containing information on hundreds of thousands of students. Compromised information includes contact information as well as dates of birth. Thankfully, no Social Security numbers were exposed. According to reports, the data breach took place November of 2018; however, Pearson was not aware of the data breach until it was notified by the FBI in March 2019. The attacker is still unknown at this point, and investigations are ongoing. 

Unsecured Honda database exposes employee data and unpatched systems

An independent security researcher discovered an unsecured database belonging to Japanese car giant Honda. The database, which is said to have contained 40GB of data on employees and internal systems, was discovered in early July, at which point the researcher contacted Honda. The database has since been secured. According to the researcher, the Elasticsearch database was found without any authentication. Exposed data includes employee names, employee IDs, IP addresses, operating system information, information on applied patches, the status of the company’s endpoint security software, and more. The nature of the exposed information is a recipe for a major security disaster. This type of information can be devastating in the wrong hands as it identifies weak spots in Honda’s cybersecurity. As of right now, however, there is no evidence that the data was leaked, according to the researcher—although Honda has yet to issue a statement on the discovery.