Lead-up to the NonStop TBC 2019 and key takeaways from the Capital One data breach

The months of September to November are notoriously busy with NonStop and other industry events around the globe. September saw comforte attend and present at the OZTUG in Australia, ATUG in Atlanta, and CTUG in Canada. We also participated in the PCI North America community meeting in Vancouver for good measure!

October is going to be equally busy with MexTUG in Mexico and the PCI Europe Community Meeting in Dublin to name but a few.

All this activity is leading up to the main event in the NonStop calendar, the NonStop Technical Boot Camp 2019 from Nov 3-6 in San Francisco! This is the key event for everything NonStop, and comforte is excited to be a Platinum Sponsor yet again.

Visit our stand (P6) in the vendor area and make sure not to miss our presentations on both Security and Digital Enablement. The security talk by Dave Harper, VP Sales, explains how ‘Data is Your Superpower’ and the importance of protecting sensitive data effectively. The second session will walk you through ‘Four steps to mobile- or cloud-enable your Pathway Applications’ hosted by Brad Poole, Senior Solutions Architect at comforte.

As for all events we are participating in, we are looking forward to hearing the latest news and requirements from our customers and learn first-hand what HPE’s plans are for NonStop in the coming year and beyond.

One topic that emerges from almost all security-related discussions we are having with NonStop and Enterprise users alike is the concept of encryption vs tokenisation and their respective merits. Data is your superpower, and the recent data breach at Capital One is a case in point for tokenisation as it became apparent in the aftermath of the data breach that it was not all bad news.

Six takeaways from the Capital One data breach

“WHAT’S IN YOUR WALLET?” is the theme question asked by spokes-celebrity Jennifer Garner in commercials for Capital One. A data breach wasn’t supposed to be one of the things in your wallet, but since it was, the company’s brand is taking a huge hit, just because of this data breach. Reviewing the details of the data breach incident offers some key insights technology leaders at other organisations can take away:

1) THIS DATA BREACH INCIDENT WAS NOT ALL BAD NEWS

1. No credit card account numbers or log-in credentials were compromised. Both are highly sought after data types on the Dark Web; therefore, NOT exposing about 100M highly sensitive data records is actually a good thing.
2. Also, over 99% of Social Security numbers in Capital One’s possession were not compromised – another good thing.
3. Unfortunately, there were still around 140,000 SSNs exposed, roughly 80,000 bank account numbers, and approximately 1 million Social Insurance Numbers of Canadian credit card customers compromised.

TAKE AWAY: The breadth of the breach was not as wide as it could have been – although there are many still seriously affected by the data breach. Even though it may be an unpopular opinion, the CISO (and other I.T. Security Leaders) should be commended for making a decision to (partially) secure sensitive data in a way which reduced the number of records exposed during the data breach.

2) THE AMOUNT OF DATA EXPOSED IN THIS BREACH COULD HAVE BEEN MORE

According to the Data Breach notice from Capital One, they encrypt data as a standard. The attacker also possessed the capability to decrypt the data.

TAKE AWAY: Had Capital One relied solely on encryption as a data protection method for all of their sensitive data, the data stolen could have been easily decrypted by the hacker, meaning the credit card data and log-in credentials could have been exposed. It also highlights one of the key disadvantages of securing data with encryption – theft or misuse of an encryption key.

3) TOKENIZATION ON SENSITIVE DATA WORKS.

1. The data breach notice pointed out that Capital One also deploys tokenisation on selected sensitive data fields as an effective data protection method. Tokenisation provided an additional data security measure – with fewer security risks than encryption.  The result was less customer data exposed during the breach.
2. Social Security numbers and account numbers were tokenised, which involves the substitution of the sensitive data element with a cryptographically generated replacement. The methods used to reveal the tokenised fields are different from those used to encrypt data, therefore, the tokenised data remained protected.

TAKE AWAY: If your business is primarily using encryption instead of tokenisation, you need to consider tokenisation as a data protection method right now. Tokenisation actively protects sensitive data, even when unauthorised access to systems and applications has been achieved as this breach incident proved.