FinTech Cybersecurity: How 'Capital One' Could Have Avoided a Data Breachby@neha-malhotra
444 reads
444 reads

FinTech Cybersecurity: How 'Capital One' Could Have Avoided a Data Breach

by Neha MalhotraSeptember 22nd, 2021
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Analysis suggests that the global online banking market valued at USD 11.43 billion in 2019 is projected to reach [USD 31.81 billion by 2027] In 2020, there were 1.9 billion active online banking users worldwide. With the increasing user base, cybersecurity threats have also emerged in the financial industry. FinTech companies hold confidential data of individuals and businesses in digital form, thus, face their fair share of challenges. Maintaining a reliable and secure cloud server is among the crucial areas for the fintech industry.

Company Mentioned

Mention Thumbnail
featured image - FinTech Cybersecurity: How 'Capital One' Could Have Avoided a Data Breach
Neha Malhotra HackerNoon profile picture

Attributing to the global shut down of physical stores and offices last year, the demand for online financial services increased significantly with the remote work setup. Following this, an analysis suggests that the global online banking market valued at US$11.43 billion in 2019 is projected to reach US$31.81 billion by 2027 at 13.6% CAGR.

In 2020, there were 1.9 billion active online banking users worldwide. This number is also projected to reach 2.5 billion by 2024. With the increasing user base, cybersecurity threats have also emerged in the financial industry. As FinTech companies hold confidential data, the escalations in phishing and ransomware like cyber-attacks have been worrying.

The FinTech sector has observed multiple cyberattacks since its inception. Some of the biggest cyberattacks the FinTech industry faced in the recent past value in millions and billions of dollars.

While FinTech companies may have improved their security wall over the years, the risks involved still hold consumers at breath. FinTech companies hold confidential data of individuals and businesses in digital form, thus, face their fair share of challenges.

Cybersecurity Challenges In The FinTech Industry

Data Sharing

Online facilities have made it easy to share data anywhere across the globe. To protect consumer’s privacy and maintain seamless processes, there must be data encryption to protect it from getting exploited in the grey markets.

Cross-Platform Malware Infection

Modern FinTech organizations use multiple digital platforms to collect, share, and process data globally. This cross-platform usage can attract hackers to develop malware on one platform that circulates the entire system. A major risk of malware function poses a challenge to maintain strong cybersecurity.

Data Security

The digital presence of large businesses comes with the challenge of maintaining data security and universality for the collection, processing, and storage of information. FinTech organizations have ever-evolving user data like personal information, finance, and health statistics are confidential, thus requiring utmost levels of data security against ransomware, DDoS, and other cyber attacks.

Security Risks of Cloud

Most digital platforms are powered by cloud technology for storing and maintaining online data. For banking and other FinTech organizations, using cloud-based services bring them scalability, speed, and multiple other benefits. However, it does have its fair share of security threats. Maintaining a reliable and secure cloud server is among the crucial areas for the FinTech industry.

Digital Identity Management

Maintaining individual identities on online platforms is a key challenge the FinTech industry faces with rising integrated and omnichannel solutions. Biometric information, OTPs, passwords, user IDs, and user authentication apps require strong cybersecurity on all levels to avoid cloning or stealing data. The loss may value in million or billion dollars.

Case Study: Capital One Security Breach

MIT Management Sloan School conducted a case study in 2020 on the Capital One data breach of July 2019 that affected millions of users in the US and Canada.

Capital One is the fifth-largest bank in the United States that is highly regulated by the industry standards set by NYSE, SEC, FCC, and other regulatory bodies. Since 2014, Capital One had been expanding its use of cloud environments to reduce the load on data centers. Besides, the bank also worked with AWS in optimizing security models for secure online financial services.

Despite heavy investments in developing secure IT infrastructure, it released a report on July 29, 2019, stating, “the company had determined that an outside individual gained unauthorized access and obtained certain information of credit card customers, affecting 100 million US and 6 million Canadian citizens.”

While the attack took place in March, Capital One could only recognize it in July 2019. The FBI stated that the hacker gained access to Capital One’s rented AWS cloud server. The hacker hosted a 3-command script on the GitHub repository that was deployed to access Capital One’s AWS server and obtain confidential credit card information of its users.

The extent of a data breach was such that numerous cyber security controls supposedly failed escalating hacker’s access into the server and data exfiltration. After following the basic risk management protocols, private organizations usually have the flexibility to adjust further guidelines and controls that fits their technical requirements. Usually, the NIST framework core defines activities for a more secure IT infrastructure.

CSF NIST framework looks after the following elements:

  • Functions: to identify, detect, protect, respond, and recover the threat
  • Categories & Subcategories: to contain specific challenges in the five functions (e.g. data security, governance, analysis, response time, asset management)
  • Information Sources: to perform specific tasks under categories and subcategories following an adequate procedure (e.g. manual)
  • Implementation tiers: represents how well an enterprise defines cybersecurity and takes steps to mitigate the threats (Tier 1 - partial, Tier 2 - Risk informed, Tier 3 - Repeatable, Tier 4 - Adaptable)

Every tier of the NIST Cybersecurity Framework is a benchmark for current operations, standardizing cybersecurity and risk management. In case of failure at any step, the entire system becomes vulnerable to hack.

In Capital One’s case, the controls possibly failed due to inadequate parameters established earlier compared to the CSF NIST framework. The opportunity for hackers laid in the window between the interpretation of the compliance control application.

Even after investing heavily in securing IT infrastructure, talented engineers, CISO, and developing security tools with AWS, Capital One failed to avoid data breaches. It was followed by a decline in stock prices and image negativity highlighting security framework ‘misconfigurations’ and management issues.

How It Could Have Been Avoided?

Keeping controls relevant with compliance standards, legislations, and regulations as the technology evolved - in the case of Capital One’s breach, the existing security controls applied to Cloud Computing Storage properties were not configured as per the standards set by FFIEC. Therefore, its Cybersecurity Framework could not prevent access and exfiltration of sensitive information.

Establishing a governance structure for using multidisciplinary skills and tools - to understand the requirements of evolving technologies, professionals with extremely technical roles must improve their security and governance skills with time. Besides, organizations also need to establish a governance structure for approvals and action mandates to make on-time decisions.

Following best CSF NIST framework practices for securing cloud environment - Federal Financial Institutions Examination Control (FFIEC) has established a set of controls to benefit organizations in their CSF NIST framework. Especially for highly regulated industries, it gives more inputs to enforce controls during security operations.

Auditing and managing compliance windows - by increasing operation audits, companies can fill the gap between compliance windows for better cyber defense. It continuously helps measure the efficacy of current security compliance controls in real-time.

Cybersecurity Solutions for FinTech

Cybersecurity is key for developing a framework for any digital FinTech service. Some of the best practices for building secure FinTech solutions are:

Data Encryption

Data encryption and tokenization are the most effective FinTech solutions. An organization can protect critical data with complex and encrypted algorithms like RSA, Twofish, and 3DES. Also, companies can decrypt original information into readable format via toke vaults.


Cybersecurity is an ongoing process integrated into the Software Development Life Cycle (SDLC). To create a safe digital space, DevSecOps methodology is critical for the integration of cybersecurity in the production pipeline.

Secure Application Logic

An encrypted password policy is crucial for FinTech security that adds to the application protection. Implementing an OTP system, short log-in sessions, and adaptive authentication can help mitigate data breach risks through multi-level protection.

Role-Based Access Control

Role-based control restricts access to the network based on its user’s relationship with an enterprise. Through its varying access control companies can reduce internal and external security threats effectively.


It is a fact that FinTech software requires consistent testing on each level of SDLC. Some proven methods of building a secure ecosystem are - run penetration tests, regular IT security audits, investing in finance domain testing. Many fintech firms neglect the importance of best practices of financial domain testing. As a result, they experience challenges in delivering expected results and performance.

Here is the case study that discusses a leading financial technology services provider who experienced challenges testing new and existing features. It is because they were entirely dependent on APIs.

To manage these challenges, they approached QA experts for the solution. They suggested implementing API, performance, functional, and automation testing solutions to streamline testing and achieve pre-defined results.

After implementing the above testing practices, the financial technology services provider achieved the following results:

Created 36,500 test cases to analyze the application Automated 5,386 test cases across smoke and regression suites Reported 21,765 defects throughout all applications

Therefore, before testing any domain, including FinTech, QA engineers must consider a resilient QA and cyber security testing checklist that contains a few questions. What are these? Let’s explore.

1. What is your product’s type?

2. What is your product’s category?

3. What threat does the software cover?

4. Which environments are supported?

5. Do you have a thorough test plan?

Cyber security testing checklist |

The Cyber Road Ahead in FinTech

Financial institutions handle confidential data of individuals and businesses in large digital formats. While it is easy to store and analyze information digitally, it brings a set of cybersecurity challenges in terms of sharing, storing, and managing data. Some of the major risks unauthorized intrusion poses are cross-platform malware infection, Cloud-based cybersecurity risks, including ransomware, and Distributed Denial of Service (DDoS).

By recognizing vulnerable areas and windows, businesses can ramp up intuitively secure designs and manage risks efficiently. Besides, the best practices of cyber protection and data security solutions play a critical role in managing future risks.