Where there is smoke, there is fire.
Today’s WSJ poses a scary question for the credit card industry. Is Capital One the only victimized company? The headline screams, “FBI Examining Possible Data Breaches Related to Capital One.”
- Organizations such as Italian bank UniCredit and Michigan State University were named in the purported list of files posted by alleged hacker.
- Michigan State University (MSU) said Wednesday it was working with the FBI and assessing whether the hacking suspect also got into its systems, though it said it had no knowledge of a breach.
- Like Capital One, Michigan State is an Amazon Web Services customer. UniCredit S.p.A., Italy’s largest bank, also said Wednesday it is investigating the possibility of a breach related to the Capital One incident.
The issue is simple: Once someone has the keys to the vault, why stop at Capital One?
- Companies have fervently embraced cloud computing for its speed, ease, cost, and security, giving Amazon and others a large and profitable business.
- But the widening probe points out a possible weakness: A hacker who figures out a way around the security fence of one cloud customer not only gets to that customer’s data but also has a method that might be usable against others.
- UniCredit and MSU are mentioned in the postings, as is Ford Motor. A Ford spokeswoman said the company was investigating.
- The Ohio Department of Transportation, also mentioned, said it, too, was working with the FBI.
And now, the European Central Bank is involved. This could get ugly. Really ugly.
- UniCredit’s main regulator, the European Central Bank’s supervision arm, said it doesn’t comment on specific banks. The arm looks closely at cybersecurity risks at banks, including through on-site inspections.
If UniCredit is involved, expect the General Data Protection Act to kick in. British Airways is contending with a $230 million fine. Google was charged $75 million and Uber a million. Bring UniCredit, an Italian global bank in 17 countries and $20 billion in revenue, and expect a new wave of industry controls (and fines).
- Italian banks have been slow to invest in technology as they have struggled to digest piles of bad loans that accumulated on their balance sheets during the financial and sovereign debt crisis. Only three years ago, 17% of Italian banks loans, whose face value was €360 billion ($401 billion), were sour, according to the Bank of Italy.
If the theory of “once you are in, you are in” holds as the FBI believes, then plenty of financial service companies can be at risk. On the Amazon Web Service website, the Capital One case study mentions many top financial industry users.
Cloud services are advances in the way we do business, but they do remove data processing into non-banking realms. Is the FBI’s concern valid? Yes, I think so.
The next worry for paranoid bankers: If the cloud has risk, what about all those cool APIs?
Overview by Brian Riley, Director, Credit Advisory Service at Mercator Advisory Group