Information Systems

It is important to understand what information systems are and why they are essential for running and
managing a business. The case studies below will provide you with an opportunity to review many of the
concepts covered in this course. These case studies provide you with an opportunity to critically analyze
events that are taking place in real-life organizations. This helps to develop your critical thinking and
research skills as you research each of these scenarios.

For this assignment, you will review four case studies. Then, in a PowerPoint presentation, you will
evaluate the studies and address each of the requirements listed below, using both critical thinking and
theory as well as supporting documentation.

Review and analyze the Case Study “Will the Coronavirus Pandemic Make Working from Home the New
Normal?” and address the following in a minimum of four slides:

• Define the problem described in this case. What are the management, organization, and
technology issues raised by this problem?

• Identify the information technologies used to provide a solution to this problem. Was this a
successful solution? Why, or why not?

• Will working from home become the dominant way of working in the future? Why, or why not?

Review and analyze the Case Study “Is Social Business Good Business?” and address the following in a
minimum of four slides:

• Identify the management, organization, and technology factors affecting adoption of internal
corporate social networks.

• Compare the experiences implementing internal social networks of the organizations described
in this case. Why was Standard Bank successful? What role did management play in this
process?

• Should all companies implement internal enterprise social networks? Why, or why not?

Review and analyze the Case Study “Is the Equifax Hack the Worst Ever—and Why?” and address the
following in a minimum of four slides:

• Identify and discuss the security and control issues that resulted from flaws in Equifax security
and control.

• What management, organization, and technology factors contributed to these problems?
• Discuss the impact of the Equifax hack.
• How can future data breaches like this one be prevented? Explain your answer

Finally, review the case study “Capital One: A Big Bank Heist from the Cloud” , and address the prompts
below in at least four slides.

• Discuss at least two security threats to cloud data.
• What should companies do to protect cloud data?
• Discuss why both the company and the cloud vendor are responsible for security.
• Discuss at least one security control that companies can use to increase security.

In formatting your PowerPoint presentation, do not use the question-and-answer format; instead, use
bullets, graphs, and/or charts in your slides to identify important points, and then discuss those points in

the speaker notes of each slide. The speaker notes section of each slide should not repeat slide
information, but serve as an area in which you augment or elaborate on slide information so that your
audience has a better understanding of the material. You must have a minimum of 100 words in the
Speaker Notes section of each content slide.

Your PowerPoint presentation should be a minimum of 15 slides in length (not counting the title and
reference slides). You are required to use a minimum of two peer-reviewed, academic sources that are
no more than 5 years old to support each case study. You may use your eTextbook once in each case
study. All sources used, including the eTextbook, must be referenced; all paraphrased material must
have accompanying in-text citations. APA style and formatting is required.

eTextbook used is
Management Information Systems

Kenneth C. Laudon; Jane P. Laudon

Interactive Session Organizations

Will the Coronavirus Pandemic Make Working from Home the New Normal?

As COVID-19 continued to spread around the globe, companies large and small started to make changes

to the way they work, shuttering their offices and requiring most or all of their employees to work

remotely from their homes.

During the pandemic, ClearRisk, which offers integrated, cloud-based software solutions for claims,

fleet, incident, and insurance certificate management had its entire staff working from home.

Many large law firms, including Reed Smith, Baker McKenzie, and Nixon Peabody, closed offices and

required work at home during the pandemic. The law firms emphasized that they could continue to

serve clients despite office closings and remote work.

OpenText Corp., a Canadian provider of enterprise information management products, plans to

eliminate more than half of its 120 offices globally, with 2000 of its 15,000-person workforce working

from home permanently.

In mid-May 2020, Twitter Inc. notified employees that most of them could work from home indefinitely.

According to a recent MIT report, 34 percent of Americans who previously commuted to work stated

that they were working from home by the first week of April 2020 due to the coronavirus outbreak.

Prior to the pandemic, the number of people regularly working from home remained in the single digits,

with only about 4 percent of the US workforce working from home at least half the time. However, the

trend of working from home had been slowly gaining momentum thanks to advances in information

technology for remote work and changes in corporate work culture. The coronavirus pandemic may

mark a tipping point.

It’s likely that many people who started working from home for the first time during the pandemic will

continue to do so thereafter. New health guidelines about distancing will require some workplaces to

expand to accommodate all their employees or to have a significant percentage of employees work

permanently from home.

Information technologies driving these changes include broadband high-speed Internet connections,

laptop computers, tablets, smartphones, email, messaging, and videoconferencing tools. As companies

shift their work from face-to-face to remote, video conferencing is becoming the new normal for

meetings. People are trying to have good conversations, share critical information, generate new ideas,

reach consensus, and make decisions quickly on this platform.

Although less than ideal for face-to-face interactions, videoconferencing is becoming more powerful and

affordable. There are many options, including Skype, Skype for Business, Zoom, Microsoft Teams,

Amazon Chime, BlueJeans, Cisco’s WebEx, GoToMeetings, and Google Meet. Some business people are

using the same tools they do in their personal communications, such as FaceTime and Facebook

Messenger. (FaceTime now supports group video chat with up to 32 people.)

Video conference software such as WebEx and BlueJeans appears designed for more corporate uses.

Other software such as Microsoft’s Skype and Zoom feels more consumer-friendly and easier to set up,

with free or low-cost versions suitable for smaller businesses. Skype works for video chats, calls, and

instant messaging and can handle up to 50 people in a single video call. Skype allows calls to be

recorded in case someone misses a meeting. Skype also provides file-sharing capabilities, caller ID,

voicemail, a split view mode to keep conversations separate, and screen share on mobile devices.

Up to 1,000 users can participate in a single Zoom video call, and 49 videos can appear on the screen at

once. Zoom includes collaboration tools like simultaneous screen-sharing and co-annotation, and the

ability to record meetings and generate transcripts. Users can adjust meeting times, select multiple

hosts, and communicate via chat if microphones and cameras are turned off.

There are definite benefits to remote work: lower overhead, more flexible schedules, reductions in

employee commuting time and attrition rates, and increases in productivity. (Many companies reported

that productivity did not suffer when employees worked at home during the pandemic.) According to

Global Workplace Analytics, a typical company saves about $11,000 per half-time telecommuter per

year. Working remotely also poses challenges.

Not all employees have access to the Internet at home, and many work in industries that require on-site

work. About 80 percent of American adults have high-speed broadband Internet service at home.

However, according to a Pew Research Center study, racial minorities, older adults, rural residents, and

people with lower levels of education and income are less likely to have in-home broadband service. In

addition, one in five American adults access the Internet only through their smartphones. Employees

with little children or small apartments find working at home more difficult.

Full-time employees are four times more likely to have remote work options than part-time employees.

According to Global Workplace Analytics, a typical remote worker is college-educated, at least 45 years

old, and earns an annual salary of $58,000 while working for a company with more than 100 employees.

Although email and text messaging are very useful, they are not effective tools for communication

compared to the information exchange and personal connection of face-to-face conversations. Remote

work also inhibits the creativity and innovative thinking that take place when people interact with each

other face-to-face, and videoconferencing is only a partial solution. Studies have found that people

working together in the same room tend to solve problems more quickly than remote collaborators, and

that team cohesion suffers when members work remotely.

Is the Equifax Hack the Worst Ever—and Why? Case Study

Equifax (along with TransUnion and Experian) is one of the three main U.S. credit bureaus, which

maintain vast repositories of personal and financial data used by lenders to determine creditworthiness

when consumers apply for a credit card, mortgage, or other loans. The company handles data on more

than 820 million consumers and more than 91 million businesses worldwide and manages a database

with employee information from approximately 11,000 employers, according to its website. These data

are provided by banks and other companies directly to Equifax and the other credit bureaus. Consumers

have little choice over how credit bureaus collect and store their personal and financial data.

Equifax has more data on you than just about anyone else. If any company needs airtight security for its

information systems, it should be credit reporting bureaus such as Equifax. Unfortunately this has not

been the case.

On September 7, 2017 Equifax reported that from mid-May through July 2017 hackers had gained access

to some of its systems and potentially the personal information of about 143 million U.S. consumers,

including Social Security numbers and driver’s license numbers. Credit card numbers for 209,000

consumers and personal information used in disputes for 182,000 people were also compromised.

Equifax reported the breach to law enforcement and also hired a cybersecurity firm to investigate. The

size of the breach, importance, and quantity of personal information compromised by this breach are

considered unprecedented.

Immediately after Equifax discovered the breach, three top executives, including Chief Financial Officer

John Gamble, sold shares worth a combined $1.8 million, according to Securities and Exchange

Commission filings. A company spokesman claimed the three executives had no knowledge that an

intrusion had occurred at the time they sold their shares on August 1 and August 2. Bloomberg reported

that the share sales were not planned in advance. On October 4, 2017 Equifax CEO Richard Smith

testified before Congress and apologized for the breach.

The size of the Equifax data breach was second only to the Yahoo breach of 2013, which affected data of

all of Yahoo’s 3 billion customers. The Equifax breach was especially damaging because of the amount of

sensitive personal and financial data stored by Equifax that was stolen, and the role such data play in

securing consumers’ bank accounts, medical histories, and access to financing. In one swoop the hackers

gained access to several essential pieces of personal information that could help attackers commit

fraud. According to Avivah Litan, a fraud analyst at Gartner Inc., on a scale of risk to consumers of 1 to

10, this is a 10.

After taking Equifax public in 2005, CEO Smith transformed the company from a slow-growing credit-

reporting company (1–2 percent organic growth per year) into a global data powerhouse. Equifax

bought companies with databases housing information about consumers’ employment histories,

savings, and salaries, and expanded internationally. The company bought and sold pieces of data that

enabled lenders, landlords, and insurance companies to make decisions about granting credit, hiring job

seekers, and renting an apartment. Equifax was transformed into a lucrative business housing $12

trillion of consumer wealth data. In 2016, the company generated $3.1 billion in revenue.

Competitors privately observed that Equifax did not upgrade its technological capabilities to keep pace

with its aggressive growth. Equifax appeared to be more focused on growing data it could

commercialize.

Hackers gained access to Equifax systems containing customer names, Social Security numbers, birth

dates, and addresses. These four pieces of data are generally required for individuals to apply for various

types of consumer credit, including credit cards and personal loans. Criminals who have access to such

data could use it to obtain approval for credit using other people’s names. Credit specialist and former

Equifax manager John Ulzheimer calls this is a “nightmare scenario” because all four critical pieces of

information for identity theft are in one place.

The hack involved a known vulnerability in Apache Struts, a type of open-source software Equifax and

other companies use to build websites. This software vulnerability had been publicly identified in March

2017, and a patch to fix it was released at that time. That means Equifax had the information to

eliminate this vulnerability two months before the breach occurred. It did nothing.

Weaknesses in Equifax security systems were evident well before the big hack. A hacker was able to

access credit-report data between April 2013 and January 2014. The company discovered that it

mistakenly exposed consumer data as a result of a “technical error” that occurred during a 2015

software change. Breaches in 2016 and 2017 compromised information on consumers’ W-2 forms that

were stored by Equifax units. Additionally, Equifax disclosed in February 2017 that a “technical issue”

compromised credit information of some consumers who used identity-theft protection services from

LifeLock.

Analyses earlier in 2017 performed by four companies that rank the security status of companies based

on publicly available information showed that Equifax was behind on basic maintenance of websites

that could have been involved in transmitting sensitive consumer information. Cyberrisk analysis firm

Cyence rated the danger of a data breach at Equifax during the next 12 months at 50 percent. It also

found the company performed poorly when compared with other financial-services companies. The

other analyses gave Equifax a higher overall ranking, but the company fared poorly in overall web-

services security, application security, and software patching.

A security analysis by Fair Isaac Corporation (FICO), a data analytics company focusing on credit scoring

services, found that by July 14 public-facing websites run by Equifax had expired certificates, errors in

the chain of certificates, or other web-security issues. Certificates are used to validate that a user’s

connection with a website is legitimate and secure.

The findings of the outside security analyses appear to conflict with public declarations by Equifax

executives that cybersecurity was a top priority. Senior executives had previously said cybersecurity was

one of the fastest-growing areas of expense for the company. Equifax executives touted Equifax’s focus

on security in an investor presentation that took place weeks after the company had discovered the

attack.

Equifax has not revealed specifics about the attack, but either its databases were not encrypted or

hackers were able to exploit an application vulnerability that provided access to data in an unencrypted

state. Experts think—and hope—that the hackers were unable to access all of Equifax’s encrypted

databases to match up information such as driver license or Social Security numbers needed to create a

complete data profile for identity theft.

Equifax management stated that although the hack potentially accessed data on approximately 143

million U.S. consumers, it had found no evidence of unauthorized activity in the company’s core credit

reporting databases. The hack triggered an uproar among consumers, financial organizations, privacy

advocates, and the press. Equifax lost one-third of its stock market value. Equifax CEO Smith resigned,

with the CSO (chief security officer) and CIO departing the company as well. Banks had to replace

approximately 209,000 credit cards that were stolen in the breach, a major expense. Lawsuits are in the

works.

Unfortunately the worst impact will be on consumers themselves, because the theft of uniquely

identifying personal information such as Social Security numbers, address history, debt history, and birth

dates could have a permanent effect. These pieces of critical personal data could be floating around the

Dark Web for exploitation and identity theft for many years. Such information would help hackers

answer the series of security questions that are often required to access financial accounts. According to

Pamela Dixon, executive director of the World Privacy Forum, “This is about as bad as it gets.” If you

have a credit report, there’s at least a 50 percent chance or more that your data were stolen in this

breach.

The data breach exposed Equifax to legal and financial challenges, although the regulatory environment

is likely to become more lenient under the current presidential administration. It already is too lenient.

Credit reporting bureaus such as Equifax are very lightly regulated. Given the scale of the data

compromised, the punishment for breaches is close to nonexistent. There is no federally sanctioned

insurance or audit system for data storage, the way the Federal Deposit Insurance Corporation provides

insurance for banks after losses. For many types of data, there are few licensing requirements for

housing personally identifiable information. In many cases, terms-of-service documents indemnify

companies against legal consequences for breaches.

Experts said it was highly unlikely that any regulatory body would shut Equifax down over this breach.

The company is considered too critical to the American financial system. The two regulators that do

have jurisdiction over Equifax, the Federal Trade Commission and the Consumer Financial Protection

Bureau, declined to comment on any potential punishments over the credit agency’s breach.

Even after one of the most serious data breaches in history, no one is really in a position to stop Equifax

from continuing to do business as usual. And the scope of the problem is much wider. Public policy has

no good way to heavily punish companies that fail to safeguard our data. The United States and other

countries have allowed the emergence of huge phenomenally detailed databases full of personal

information available to financial companies, technology companies, medical organizations, advertisers,

insurers, retailers, and the government.

Equifax has offered very weak remedies for consumers. People can go to the Equifax website to see if

their information has been compromised. The site asks customers to provide their last name and the

last six digits of their Social Security number. However, even if they do that, they do not necessarily

learn whether they were affected. Instead, the site provides an enrollment date for its protection

service. Equifax offered a free year of credit protection service to consumers enrolling before November

2017. Obviously, all of these measures won’t help much because stolen personal data will be available

to hackers on the Dark Web for years to come. Governments involved in state-sponsored cyberwarfare

are able to use the data to populate databases of detailed personal and medical information that can be

used for blackmail or future attacks. Ironically, the credit-protection service that Equifax is offering

requires subscribers to waive their legal rights to seek compensation from Equifax for their losses in

order to use the service, while Equifax goes unpunished. On March 1, 2018, Equifax announced that the

breach had compromised an additional 2.4 million more Americans’ names and driver’s license

numbers.

In late 2018, the U.S. House Committee on Oversight and Government Reform published a new report

on the Equifax breach. The report concluded that the incident was “entirely preventable” and occurred

because Equifax had failed to implement an adequate security program to protect its sensitive data. But

authorities have neither sanctioned Equifax nor addressed the deeper industry-wide flaws that the

incident exposed. Since the hack, Equifax has spent over $1 billion, including costs for litigation and

fines, and will have to pay a settlement of up to $700 million to resolve investigations and lawsuits

stemming from the data breach. The company continues to do business as usual.Harmful data breaches

keep happening. In almost all cases, even when the data concerns tens or hundreds of millions of

people, companies such as Equifax and Yahoo that were hacked continue to operate. There will be

hacks—and afterward, there will be more. Companies need to be even more diligent about

incorporating security into every aspect of their IT infrastructure and systems development activities.

According to Litan, to prevent data breaches such as Equifax’s, organizations need many layers of

security controls. They need to assume that prevention methods are going to fail.

Is Social Business Good Business? Case Study

As companies become more dispersed in the global marketplace, businesses are turning increasingly to

workplace collaboration technology, including tools for internal social networking. These tools can

promote employee collaboration and knowledge sharing, and help employees make faster decisions,

develop more innovative ideas for products and services, and become more engaged in their work and

their companies.

Adoption of internal enterprise social networking is also being driven by the flood of email that

employees typically receive each day and are increasingly unable to handle. Hundreds of email

messages must be opened, read, answered, forwarded, or deleted. For example, Winnipeg, Manitoba–

based Duha Group, which produces color paint samples and color systems for paint companies across

the globe, was able to eliminate 125,000 excess emails per year by adopting Salesforce Chatter social

collaboration tools. Managing Director Emeric Duha, who used to receive 50 emails each morning from

Asia, Europe, and Australia, now has a Chatter feed of everything going on in the company.

Another driver of enterprise social networking is “app fatigue.” In order to collaborate, many employees

have to log on to numerous apps, creating additional work. Contemporary enterprise social networking

systems often integrate multiple capabilities in one place.

Recent studies have found that collaboration tools could be effective in boosting efficiency and

productivity, while enabling users to make better business decisions. The products also expanded the

potential for innovation. Not all companies, however, are successfully using them. Implementation and

adoption of enterprise social networking depends not only on the capabilities of the technology but on

the organization’s culture and the compatibility of these tools with the firm’s business processes. The

technologies won’t provide benefits if they are applied to flawed business processes and organizational

behaviors. Digital collaboration tools such as Microsoft Teams, Chatter, Yammer, Zoom, and WebEx

added to email, texting, and messaging may enmesh employees in too many interactions, leaving even

less time for in-depth individual thinking and problem-solving.

When firms introduce new social media technology (as well as other technologies), a sizable number of

employees resist the new tools, clinging to old ways of working, including email, because they are more

familiar and comfortable. There are companies where employees have duplicated communication on

both social media and email, increasing the time and cost of performing their jobs. BASF, the world’s

largest chemical producer with subsidiaries and joint ventures in more than 80 countries, prohibited

some project teams from using email to encourage employees to use new social media tools.

Social business requires a change in thinking, including the ability to view the organization more

democratically in a flatter and more horizontal way. A social business is much more open to everyone’s

ideas. A secretary, assembly line worker, or sales clerk might be the source of the next big idea. As a

result, getting people to espouse social business tools requires more of a “pull” approach, one that

engages workers and offers them a significantly better way to work. In most cases, they can’t be forced

to use social apps.

Enterprise capabilities for managing social networks and sharing digital content can help or hurt an

organization. Social networks can provide rich and diverse sources of information that enhance

organizational productivity, efficiency, and innovation, or they can be used to support preexisting groups

of like-minded people that are reluctant to communicate and exchange knowledge with outsiders.

Productivity and morale will fall if employees use internal social networks to criticize others or pursue

personal agendas.

Social business applications modeled on consumer-facing platforms such as Facebook and Twitter will

not necessarily work well in an organization or organizational department that has incompatible

objectives. Will the firm use social business for operations, human resources, or innovation? The social

media platform that will work best depends on its specific business purpose. Additionally employees

who have actively used Facebook and Twitter in their personal lives are often hesitant to use similar

social tools for work purposes because they see social media primarily as an informal, personal means of

self-expression and communication with friends and family. Most managers want employees to use

internal social tools to communicate informally about work, but not to discuss personal matters.

Employees accustomed to Facebook and Twitter may have trouble imagining how they could use social

tools without getting personal.

This means that instead of focusing on the technology, businesses should first identify how social

initiatives will actually improve work practices for employees and managers. They need a detailed

understanding of social networks: how people are currently working, with whom they are working, what

their needs are, and measures for overcoming employee biases and resistance.

A successful social business strategy requires leadership and behavioral changes. Just sponsoring a social

project is not enough—managers need to demonstrate their commitment to a more open, transparent

work style. Employees who are used to collaborating and doing business in more traditional ways need

an incentive to use social software. Changing an organization to work in a different way requires

enlisting those most engaged and interested in helping, and designing and building the right workplace

environment for using social technologies.

Management needs to ensure that the internal and external social networking efforts of the company

are providing genuine value to the business. Content on the networks needs to be relevant, up-to-date,

and easy to access; users need to be able to connect to people who have the information they need and

would otherwise be out of reach or difficult to reach. Social business tools should be appropriate for the

tasks on hand and the organization’s business processes, and users need to understand how and why to

use them.

For example, NASA’s Goddard Space Flight Center had to abandon a custom-built enterprise social

network called Spacebook because no one knew how its social tools would help people do their jobs.

Spacebook had been designed and developed without taking into consideration the organization’s

culture and politics. This is not an isolated phenomenon. Dimension Data found that one-fourth of the

900 enterprises it surveyed focused more on the successful implementation of collaboration technology,

rather than how it’s used and adopted.

Despite the challenges associated with launching an internal social network, there are companies using

these networks successfully. One company that has made social business work is Standard Bank, Africa’s

largest financial services provider, which operates in 33 countries (including 19 in Africa). Standard Bank

has embraced social business to keep up with the pace of twenty-first-century business. The bank is

using Microsoft Yammer to help it become a more dynamic organization.

Use of Yammer at Standard Bank started to take off in 2013, when the bank staged an important

conference for its executives around the world and was looking for a collaborative platform for

communicating conference logistics and posting content such as PowerPoint presentations. Many

agencies and consultants who worked for the bank used Yammer and liked the tool. Once conference

participants saw how intuitive and useful Yammer was, they wanted to use it in their own operations.

Usage exploded, and the Yammer social network grew to over 20,000 users just six months after

Standard Bank adopted the Enterprise version. Belinda Carreira, Standard Bank’s Executive Head of

Interactive Marketing, is also reaching out to departments most likely to benefit from enterprise social

networking.

Standard Bank has over 400 Yammer social groups. Many are organized around projects and problem-

solving, such as finding credit card solutions that work well in African countries. Yammer has become a

platform for listening, where employees can easily share their concerns and insights. Yammer is also

used for internal education. Yammer enables trainers to present more visual and varied material than in

the past, including videos from the Internet. In some locations, the Internet may be down for half the

day, but Standard’s employees are still able to access Yammer on their mobile phones.

Carreira notes that successful adoption and use of a social tool such as Yammer will hit roadblocks

without proper planning and organizational buy-in. Many factors must be considered. Carreira

recommends that Yammer implementors work closely with their organization’s IT department, risk and

compliance teams, human resources, communications department, and executive leadership across the

organization. In addition to internal resources, Standard Bank drew on expertise provided by Yammer

and Microsoft.

Northwards Housing, a nonprofit organization providing affordable housing services in Manchester,

England, has an open organizational culture, which encourages two-way communication and

information transparency. Northwards has 340 employees, who do everything from rent collection to

scheduling repairs and cleaning maintenance. The organization wanted a way of exchanging information

internally and with its customers that was easy to use and did not require much time for technical

updates. Northwards introduced Yammer in 2012 and now has 85 percent of employees engaged with

the network.

Steve Finegan, Northward’s Head of Business Effectiveness and Communication, believes executive

support was critical to the network’s growth. The Northwards CEO regularly participates in discussions,

posts links to news stories of interest, and publishes a blog. The organization’s executive directors, who

were initially skeptical about Yammer’s benefits, now actively post content on the network and answer

questions.

Capital One: A Big Bank Heist from the Cloud

Capital One Financial Corporation is an American bank holding company specializing in credit cards, auto

loans, banking, and savings accounts. It is the eleventh largest bank in the United States in terms of

assets and an aggressive user of information technology to drive its business. Capital One was an early

adopter of cloud computing and a major client of Amazon Web Services (AWS). Capital One has been

trying to move more critical parts of its IT infrastructure to Amazon’s cloud infrastructure in order to

focus on building consumer applications and other needs.

On July 29, 2019, Capital One and its customers received some very bad news. Capital One had been

breached, exposing over 140,000 Social Security numbers, 80,000 bank account numbers, tens of

millions of credit card applications, and one million Canadian social insurance numbers (equivalent to

Social Security numbers in the US). It was one of the largest thefts of data ever from a bank.

The culprit turned out to be Paige Thompson, a former employee of Amazon Web Services, which

hosted the Capital One database that was breached. Thompson was arrested in Seattle and charged

with one count of computer fraud and abuse. She had worked for the same server business that court

papers said Capital One was using. Thompson could face up to five years in prison and a $250,000 fine.

The bank believed it was unlikely that Thompson disseminated the information or used it for fraud. But

it will still cost the bank up to $150 million, including paying for credit monitoring of affected customers.

Amazon Web Services hosts remote servers that organizations use to store their data. Large enterprises

such as Capital One build their own web applications using Amazon’s cloud servers and data storage

services data so they can use the information for their specific needs.

The F.B.I. agent investigating the breach reported that Ms. Thompson had gained access to Capital One’s

sensitive data through a “misconfiguration” of a firewall on a web application. (A firewall monitors

incoming and outgoing network traffic and blocks unauthorized access.) This allowed her to

communicate with the server where Capital One was storing its data and customer files. Capital One

stated it had immediately fixed the configuration vulnerability once it had been detected. Amazon said

its customers fully control the applications they build and that it had found no evidence that its

underlying cloud services had been compromised.

Thompson was able to access and steal this sensitive information only because Capital One had

misconfigured its Amazon server. Thompson could then trick a system in the cloud to uncover the

credentials she needed to access Capital One’s customer records. Thompson’s crime was considered an

insider threat, since she had worked at Amazon years earlier. However, outsiders also try to search for

and exploit this type of misconfiguration, and server misconfigurations are commonplace.

Misconfigurations are also easily fixed, so many do not consider them a breach. Sometimes it’s difficult

to determine whether tinkering with misconfigurations represents a criminal activity or security

research.

Thompson was able to tap into Amazon’s metadata service, which has the credentials and other data

required to manage servers in the cloud. Ms. Thompson ran a scan of the Internet to identify vulnerable

computers that could provide access to a company’s internal networks. She found a computer managing

communications between Capital One’s cloud and the public Internet that had been misconfigured, with

weak security settings. Through that opening Thompson was able to request the credentials required to

find and read Capital One data stored in the cloud from the metadata service. Once Thompson located

the Capital One data, she was able to download them without triggering any alerts. Thompson also

boasted online that she had used the same techniques to access large amounts of online data from

other organizations.

Amazon has stated that none of its services, including the metadata service, were the cause of the

break-in and that AWS offers monitoring tools for detecting this type of incident. It is unclear why none

of these alerting tools triggered an alarm when Thompson was hacking into Capital One. Thompson

began hacking Capital One on March 12, 2019, but went undetected until an outside researcher tipped

off Capital One 127 days later. According to C. J. Moses, deputy chief information security officer for

AWS, Amazon restricts most staff members from accessing its broader internal infrastructure in order to

protect against “witting or unwitting” data breaches.

Security professionals have known about misconfiguration problems and the ability to steal credentials

from the metadata service since at least 2014. Amazon believes it is the customer’s responsibility to

solve them. Some customers have failed to do so. When security researcher Brenton Thomas conducted

an Internet scan in February 2019, he found more than 800 Amazon accounts that allowed similar access

to the metadata service. (Amazon’s cloud computing service has over one million users.) But Thomas

also found other cloud computing companies with misconfigured services as well, including Microsoft’s

Azure cloud.

Whatever the cloud service, the pool of talent capable of launching similar attacks is expanding. Given

the nature of cloud services, any person who has worked on developing technology at any of the major

cloud computing companies can learn how these systems work inpractice.

Capital One had a reputation for strong cloud security. The bank had conducted extensive due diligence

before deciding to move to cloud computing in 2015. However, before the giant data breach, Capital

One employees had raised concerns internally about high turnover in the company’s cybersecurity unit

and tardiness in installing some software to help spot and defend against hacks. The cybersecurity unit is

responsible for ensuring Capital One’s firewalls are properly configured and for scanning the Internet for

evidence of a data breach. In recent years there have been many changes among senior leaders and

staffers. About a third of Capital One’s cybersecurity employees left the company in 2018.