U.S. Markets closed

Capital One Breach a Win for Crowdsourced Cybersecurity

William Turton and Jenny Surane

(Bloomberg) -- When Ali Tutuncu found a vulnerability in Capital One Financial Corp.’s software in March, the company fixed the flaw in 20 days. An independent security researcher, Tutuncu said the bank thanked him and added him to its page of fame.

“They did not pay financially,” he said. “Still, it was a nice experience.”

Capital One is among a relatively small group of major companies that are encouraging the typically anti-establishment hacker community -- and security researchers too -- to find potential vulnerabilities in their computer networks before malicious hackers do. Some of the programs offer cash rewards, called bug bounties, of as much as $200,000.

The bank is crediting its Responsible Disclosure Program with helping them track down a Seattle woman who had allegedly infiltrated their computer network. Paige Thompson, 33, allegedly accessed a massive amount of data: more than 100 million people, including names, addresses, dates of birth and about 140,000 Social Security numbers.

That’s a black eye for a company that’s touted its tech savviness, and the hack has sent Capital One Shares tumbling 11% in the last week. But it appears the damage could have been worse: Capital One said it was unlikely the information was used for fraud or disseminated to others.

Thompson was charged on July 29 with computer abuse and fraud. Her arrest marks a major success for cyber tip lines, and one that is likely to encourage other companies to start their own. Paul Benda, senior vice president of risk and cybersecurity policy at the American Bankers Association, said he couldn’t recall a tip that was wrapped up so quickly.

“From the time they submitted, to the time it was shut down to the time there was an arrest, there’s no example I think that comes close to that,” he said.

Alex Rice, co-founder and chief technology officer of HackerOne Inc., which manages “hacker-powered security” platforms for Capital One and other companies, said, “Usually vulnerability disclosure programs are not uncovering criminal activity. But it is phenomenal that it works out that way.”

Jennifer Bayuk, a former risk cybersecurity executive at several major banks including JP Morgan Chase & Co., said if banks don’t already have vulnerability disclosure programs, they are likely looking at them now. “They’re probably looking at the Capital One news and meeting with legal as we speak.”

There appears to be plenty of room for growth. A 2018 HackerOne report concluded that 93% of the world’s largest public companies don’t have a policy to handle “critical bug reports” submitted by outsiders.

The tip that led to Thompson’s arrest came in on July 17, when an unnamed “external security researcher” emailed Capital One’s disclosure program saying that leaked data was being stored on a publicly accessible file at GitHub, which allows users to manage and store software projects.

Capital One provided few details when asked about its cyber tip line. A public page about the bank’s program at HackerOne shows that it has received at least 30 reports of security flaws since it started in January. HackerOne declined to say how many of those reports were validated security flaws.

“White Hat” hacker programs have been around for years, but they have become more formalized as the volume and severity of threats has increased. Some companies manage their own vulnerability disclosure efforts. Companies like HackerOne and BugCrowd offer services to analyze incoming tips and, if warranted, pass them on to their client’s security team.

“You have to filter it out pretty carefully before you realize what’s real and what’s not,” said Dave Aitel, chief technical officer at Cyxtera Technologies, which provides security for computer networks and cybersecurity services.

Crowdsourcing Security

Vulnerability disclosure programs allow companies to crowdsource security, tapping researchers with a diverse background of skills to stress test computer infrastructure. Ethical hackers and security researchers with specialized skills may discover a flaw that a company’s internal security team missed, or a flaw that may have not been included within the scope of a bank’s security risk assessment, Bayuk said.

The programs run from invitation-only disclosure programs, which are often used by companies in regulated spaces like financial services and health care, to tip lines that are open to all comers. It’s seen as an alternative to traditional “penetration testing,” where companies hire outside firms to test the security of its networks.

Some companies, like Capital One, provide policies agreeing not to prosecute security researchers for finding bugs in its systems as long as they abide by specific protocols.

Still, inviting hackers to rummage through a computer network isn’t without some risks, since they could come across customer identities or even potentially damage the system, Bayuk said. If a hacker or security researcher were to come across personally identifiable information on Capital One’s services, the company advises them to immediately purge the data and contact the company, according to the program guidelines.

Some financial intuitions stop short of offering financial rewards due to a fear it could encourage criminal behavior, Bayuk said.

Bug Bounties

But organizations that offer financial rewards to hackers or security researchers typically get more tips, Bayuk said. The amount of the bug bounties depend on the quality of the information provided by the tipster and the severity of the hack, and rewards range from a couple hundred dollars to hundreds of thousands of dollars.

Apple Inc., for instance, will pay out as much as $50,000 for pointing out a bug that allows a hacker to access iCloud account data on Apple servers, and as much as $200,000 for vulnerabilities in its secure boot firmware components, which blocks malware when a phone starts, according to the company’s iOS security guide. On Monday, Microsoft Corp. announced that it was doubling the top bounty reward, to $40,000, for finding bugs in Azure, the company’s competitor to Amazon Web Services.

Goldman Sachs Group Inc. has had a private disclosure program in place since January 2018 and awarded $40,500 since it was started, said Patrick Lenihan, a bank spokesman. Goldman offers a maximum payout of $15,000 to people who identify vulnerabilities, though awards are usually around $1,000, Lenihan said.

In recent weeks, it also started a public program -- offering incentives to people who identify flaws such as “unauthorized access to sensitive information.” It too has a maximum reward of $15,000 but that’s likely to increase as it expands, Lenihan said.

‘Thank-you T-shirt’

Even if Capital One offered cash rewards, it’s not clear that the unnamed tipster would have netted a huge reward. That’s because the information provided was more of a heads-up about a leaked data, rather than a detailed report outlining a major flaw, Aitel said.

“You’re not gonna make a ton of money saying, ‘Hey, I think someone has your information on a Github account,’ ” he said, adding, “They might send you a thank you T-shirt. They definitely owe you a thank you T-shirt.”

To contact the reporters on this story: William Turton in New York at wturton1@bloomberg.net;Jenny Surane in New York at jsurane4@bloomberg.net

To contact the editors responsible for this story: Andrew Martin at amartin146@bloomberg.net, Steve Geimann

For more articles like this, please visit us at bloomberg.com

©2019 Bloomberg L.P.