First Rate Responds to the Capital One Data Breach
When Over 100 million people across the U.S. have become vulnerable to a mass financial data breach, it’s easy to succumb to fear. However, you will notice that “Fear” is conspicuously missing from First Rate’s core values of Love, Give, Serve, and Enjoy. Accordingly, spreading fear is not the purpose of this short summary of our analysis of the Capital One Financial breach that was disclosed on July 29, 2019. Our purpose is to provide a brief overview of how it occurred and help employees and customers understand how First Rate’s information security design and information security management system (ISMS) differs to protect our clients’ data and prevent such incidences from occurring.
There appear to be two root causes to the Capital One Financial breach:
- An open-source web application firewall used by Capital One was misconfigured per the Company.
- The attack was possible because the attacker, who was a former AWS employee, knew how to manipulate the calls to the Metadata service in AWS to access customer data. The web application firewall, if properly configured, could have prevented this.
How First Rate is different:
- We host our own environment, on systems owned and managed by First Rate.
- Our applications run in true three-tier architecture with the web servers hosted in a DMZ (demilitarized zone) and all sensitive information held behind firewalls, which include network-based intrusion prevention/detection systems as well as host-based intrusion prevention/detection systems on the servers themselves.
- Our access control list restrictions limit which Internet Protocol addresses can send incoming messages to our application and database servers, therefore this type of attack would never work on our system.
As a result of these differentiators, employees and customers should feel confident because it’s highly unlikely that First Rate’s application and infrastructure could be manipulated in the same way that Capital One’s was to expose customer or First Rate proprietary data.
We’d like to conclude by noting that First Rate’s Management works closely with the First Rate Chief Compliance Officer and Information Security Manager to provide routine counsel and oversight of the ISMS. Our goal is continuous improvement, and part of that improvement is ensuring that we have the necessary tools, people, and processes for maintaining and monitoring the controls on which First Rate relies to keep our systems and data secure, available, and confidential.
If you have any questions regarding this memorandum or on the First Rate ISMS, please contact Chief Compliance Officer Jay Anthony at [email protected], or Information Security Manager Brian Moffitt at [email protected].