Will the Coronavirus Pandemic Make Working from Home the New

Normal?
As COVID-19 confinued to spread around the globe, companies large and small started to make changes
to the way they work, shuftering their offices and requiring most or all of their employees to work
remotely from their homes.

During the pandemic, ClearRisk, which offers integrated, cloud-based software solufions for claims, fleet,
incident, and insurance cerfificate management had its enfire staff working from home.

Many large law firms, including Reed Smith, Baker McKenzie, and Nixon Peabody, closed offices and
required work at home during the pandemic. The law firms emphasized that they could confinue to
serve clients despite office closings and remote work.

OpenText Corp., a Canadian provider of enterprise informafion management products, plans to eliminate
more than half of its 120 offices globally, with 2000 of its 15,000-person workforce working from home
permanently.

In mid-May 2020, Twifter Inc. nofified employees that most of them could work from home indefinitely.

According to a recent MIT report, 34 percent of Americans who previously commuted to work stated
that they were working from home by the first week of April 2020 due to the coronavirus outbreak. Prior
to the pandemic, the number of people regularly working from home remained in the single digits, with
only about 4 percent of the US workforce working from home at least half the fime. However, the trend
of working from home had been slowly gaining momentum thanks to advances in informafion
technology for remote work and changes in corporate work culture. The coronavirus pandemic may
mark a fipping point.

It’s likely that many people who started working from home for the first fime during the pandemic will
confinue to do so thereafter. New health guidelines about distancing will require some workplaces to
expand to accommodate all their employees or to have a significant percentage of employees work
permanently from home.

Informafion technologies driving these changes include broadband high-speed Internet connecfions,
laptop computers, tablets, smartphones, email, messaging, and videoconferencing tools. As companies
shift their work from face-to-face to remote, video conferencing is becoming the new normal for
meefings. People are trying to have good conversafions, share crifical informafion, generate new ideas,
reach consensus, and make decisions quickly on this plafform.

Although less than ideal for face-to-face interacfions, videoconferencing is becoming more powerful and
affordable. There are many opfions, including Skype, Skype for Business, Zoom, Microsoft Teams,
Amazon Chime, BlueJeans, Cisco’s WebEx, GoToMeefings, and Google Meet. Some business people are
using the same tools they do in their personal communicafions, such as FaceTime and Facebook
Messenger. (FaceTime now supports group video chat with up to 32 people.)

Video conference software such as WebEx and BlueJeans appears designed for more corporate uses.
Other software such as Microsoft’s Skype and Zoom feels more consumer-friendly and easier to set up,
with free or low-cost versions suitable for smaller businesses. Skype works for video chats, calls, and
instant messaging and can handle up to 50 people in a single video call. Skype allows calls to be recorded
in case someone misses a meefing. Skype also provides file-sharing capabilifies, caller ID, voicemail, a
split view mode to keep conversafions separate, and screen share on mobile devices.

Up to 1,000 users can parficipate in a single Zoom video call, and 49 videos can appear on the screen at
once. Zoom includes collaborafion tools like simultaneous screen-sharing and co-annotafion, and the
ability to record meefings and generate transcripts. Users can adjust meefing fimes, select mulfiple
hosts, and communicate via chat if microphones and cameras are turned off.

There are definite benefits to remote work: lower overhead, more flexible schedules, reducfions in
employee commufing fime and aftrifion rates, and increases in producfivity. (Many companies reported
that producfivity did not suffer when employees worked at home during the pandemic.) According to
Global Workplace Analyfics, a typical company saves about $11,000 per half-fime telecommuter per
year. Working remotely also poses challenges.

Not all employees have access to the Internet at home, and many work in industries that require on-site
work. About 80 percent of American adults have high-speed broadband Internet service at home.
However, according to a Pew Research Center study, racial minorifies, older adults, rural residents, and
people with lower levels of educafion and income are less likely to have in-home broadband service. In
addifion, one in five American adults access the Internet only through their smartphones. Employees
with liftle children or small apartments find working at home more difficult.

Full-fime employees are four fimes more likely to have remote work opfions than part-fime employees.
According to Global Workplace Analyfics, a typical remote worker is college-educated, at least 45 years
old, and earns an annual salary of $58,000 while working for a company with more than 100 employees.
Although email and text messaging are very useful, they are not effecfive tools for communicafion
compared to the informafion exchange and personal connecfion of face-to-face conversafions. Remote
work also inhibits the creafivity and innovafive thinking that take place when people interact with each
other face-to-face, and videoconferencing is only a parfial solufion. Studies have found that people
working together in the same room tend to solve problems more quickly than remote collaborators, and
that team cohesion suffers when members work remotely.

Is Social Business Good Business? Case Study

As companies become more dispersed in the global marketplace, businesses are turning increasingly to
workplace collaborafion technology, including tools for internal social networking. These tools can
promote employee collaborafion and knowledge sharing, and help employees make faster decisions,
develop more innovafive ideas for products and services, and become more engaged in their work and
their companies.

Adopfion of internal enterprise social networking is also being driven by the flood of email that
employees typically receive each day and are increasingly unable to handle. Hundreds of email messages
must be opened, read, answered, forwarded, or deleted. For example, Winnipeg, Manitoba–based Duha
Group, which produces color paint samples and color systems for paint companies across the globe, was
able to eliminate 125,000 excess emails per year by adopfing Salesforce Chafter social collaborafion
tools. Managing Director Emeric Duha, who used to receive 50 emails each morning from Asia, Europe,
and Australia, now has a Chafter feed of everything going on in the company.

Another driver of enterprise social networking is “app fafigue.” In order to collaborate, many employees
have to log on to numerous apps, creafing addifional work. Contemporary enterprise social networking
systems often integrate mulfiple capabilifies in one place.

Recent studies have found that collaborafion tools could be effecfive in boosfing efficiency and
producfivity, while enabling users to make befter business decisions. The products also expanded the
potenfial for innovafion. Not all companies, however, are successfully using them. Implementafion and
adopfion of enterprise social networking depends not only on the capabilifies of the technology but on
the organizafion’s culture and the compafibility of these tools with the firm’s business processes. The
technologies won’t provide benefits if they are applied to flawed business processes and organizafional
behaviors. Digital collaborafion tools such as Microsoft Teams, Chafter, Yammer, Zoom, and WebEx
added to email, texfing, and messaging may enmesh employees in too many interacfions, leaving even
less fime for in-depth individual thinking and problem-solving.
When firms introduce new social media technology (as well as other technologies), a sizable number of
employees resist the new tools, clinging to old ways of working, including email, because they are more
familiar and comfortable. There are companies where employees have duplicated communicafion on
both social media and email, increasing the fime and cost of performing their jobs. BASF, the world’s
largest chemical producer with subsidiaries and joint ventures in more than 80 countries, prohibited
some project teams from using email to encourage employees to use new social media tools.

Social business requires a change in thinking, including the ability to view the organizafion more
democrafically in a flafter and more horizontal way. A social business is much more open to everyone’s
ideas. A secretary, assembly line worker, or sales clerk might be the source of the next big idea. As a
result, gefting people to espouse social business tools requires more of a “pull” approach, one that
engages workers and offers them a significantly befter way to work. In most cases, they can’t be forced
to use social apps.

Enterprise capabilifies for managing social networks and sharing digital content can help or hurt an
organizafion. Social networks can provide rich and diverse sources of informafion that enhance
organizafional producfivity, efficiency, and innovafion, or they can be used to support preexisfing groups
of like-minded people that are reluctant to communicate and exchange knowledge with outsiders.
Producfivity and morale will fall if employees use internal social networks to crificize others or pursue
personal agendas.

Social business applicafions modeled on consumer-facing plafforms such as Facebook and Twifter will
not necessarily work well in an organizafion or organizafional department that has incompafible
objecfives. Will the firm use social business for operafions, human resources, or innovafion? The social
media plafform that will work best depends on its specific business purpose. Addifionally employees
who have acfively used Facebook and Twifter in their personal lives are often hesitant to use similar
social tools for work purposes because they see social media primarily as an informal, personal means of
self-expression and communicafion with friends and family. Most managers want employees to use
internal social tools to communicate informally about work, but not to discuss personal mafters.
Employees accustomed to Facebook and Twifter may have trouble imagining how they could use social
tools without gefting personal.

This means that instead of focusing on the technology, businesses should first idenfify how social
inifiafives will actually improve work pracfices for employees and managers. They need a detailed
understanding of social networks: how people are currently working, with whom they are working, what
their needs are, and measures for overcoming employee biases and resistance.
A successful social business strategy requires leadership and behavioral changes. Just sponsoring a social
project is not enough—managers need to demonstrate their commitment to a more open, transparent
work style. Employees who are used to collaborafing and doing business in more tradifional ways need
an incenfive to use social software. Changing an organizafion to work in a different way requires enlisfing
those most engaged and interested in helping, and designing and building the right workplace
environment for using social technologies.

Management needs to ensure that the internal and external social networking efforts of the company
are providing genuine value to the business. Content on the networks needs to be relevant, up-to-date,
and easy to access; users need to be able to connect to people who have the informafion they need and
would otherwise be out of reach or difficult to reach. Social business tools should be appropriate for the
tasks on hand and the organizafion’s business processes, and users need to understand how and why to
use them.

For example, NASA’s Goddard Space Flight Center had to abandon a custom-built enterprise social
network called Spacebook because no one knew how its social tools would help people do their jobs.
Spacebook had been designed and developed without taking into considerafion the organizafion’s
culture and polifics. This is not an isolated phenomenon. Dimension Data found that one-fourth of the
900 enterprises it surveyed focused more on the successful implementafion of collaborafion technology,
rather than how it’s used and adopted.

Despite the challenges associated with launching an internal social network, there are companies using
these networks successfully. One company that has made social business work is Standard Bank, Africa’s
largest financial services provider, which operates in 33 countries (including 19 in Africa). Standard Bank
has embraced social business to keep up with the pace of twenty-first-century business. The bank is
using Microsoft Yammer to help it become a more dynamic organizafion.

Use of Yammer at Standard Bank started to take off in 2013, when the bank staged an important
conference for its execufives around the world and was looking for a collaborafive plafform for
communicafing conference logisfics and posfing content such as PowerPoint presentafions. Many
agencies and consultants who worked for the bank used Yammer and liked the tool. Once conference
parficipants saw how intuifive and useful Yammer was, they wanted to use it in their own operafions.
Usage exploded, and the Yammer social network grew to over 20,000 users just six months after
Standard Bank adopted the Enterprise version. Belinda Carreira, Standard Bank’s Execufive Head of
Interacfive Markefing, is also reaching out to departments most likely to benefit from enterprise social
networking.

Standard Bank has over 400 Yammer social groups. Many are organized around projects and problem-
solving, such as finding credit card solufions that work well in African countries. Yammer has become a
plafform for listening, where employees can easily share their concerns and insights. Yammer is also
used for internal educafion. Yammer enables trainers to present more visual and varied material than in
the past, including videos from the Internet. In some locafions, the Internet may be down for half the
day, but Standard’s employees are sfill able to access Yammer on their mobile phones.

Carreira notes that successful adopfion and use of a social tool such as Yammer will hit roadblocks
without proper planning and organizafional buy-in. Many factors must be considered. Carreira
recommends that Yammer implementors work closely with their organizafion’s IT department, risk and
compliance teams, human resources, communicafions department, and execufive leadership across the
organizafion. In addifion to internal resources, Standard Bank drew on experfise provided by Yammer
and Microsoft.

Northwards Housing, a nonprofit organizafion providing affordable housing services in Manchester,

England, has an open organizafional culture, which encourages two-way communicafion and informafion
transparency. Northwards has 340 employees, who do everything from rent collecfion to scheduling
repairs and cleaning maintenance. The organizafion wanted a way of exchanging informafion internally
and with its customers that was easy to use and did not require much fime for technical updates.
Northwards introduced Yammer in 2012 and now has 85 percent of employees engaged with the
network.

Steve Finegan, Northward’s Head of Business Effecfiveness and Communicafion, believes execufive
support was crifical to the network’s growth. The Northwards CEO regularly parficipates in discussions,
posts links to news stories of interest, and publishes a blog. The organizafion’s execufive directors, who
were inifially skepfical about Yammer’s benefits, now acfively post content on the network and answer
quesfions.

Is the Equifax Hack the Worst Ever—and Why? Case Study

Equifax (along with TransUnion and Experian) is one of the three main U.S. credit bureaus, which
maintain vast repositories of personal and financial data used by lenders to determine creditworthiness
when consumers apply for a credit card, mortgage, or other loans. The company handles data on more
than 820 million consumers and more than 91 million businesses worldwide and manages a database
with employee informafion from approximately 11,000 employers, according to its website. These data
are provided by banks and other companies directly to Equifax and the other credit bureaus. Consumers
have liftle choice over how credit bureaus collect and store their personal and financial data.

Equifax has more data on you than just about anyone else. If any company needs airfight security for its
informafion systems, it should be credit reporfing bureaus such as Equifax. Unfortunately this has not
been the case.
On September 7, 2017 Equifax reported that from mid-May through July 2017 hackers had gained access
to some of its systems and potenfially the personal informafion of about 143 million U.S. consumers,
including Social Security numbers and driver’s license numbers. Credit card numbers for 209,000
consumers and personal informafion used in disputes for 182,000 people were also compromised.
Equifax reported the breach to law enforcement and also hired a cybersecurity firm to invesfigate. The
size of the breach, importance, and quanfity of personal informafion compromised by this breach are
considered unprecedented.

Immediately after Equifax discovered the breach, three top execufives, including Chief Financial Officer
John Gamble, sold shares worth a combined $1.8 million, according to Securifies and Exchange
Commission filings. A company spokesman claimed the three execufives had no knowledge that an
intrusion had occurred at the fime they sold their shares on August 1 and August 2. Bloomberg reported
that the share sales were not planned in advance. On October 4, 2017 Equifax CEO Richard Smith
tesfified before Congress and apologized for the breach.

The size of the Equifax data breach was second only to the Yahoo breach of 2013, which affected data of
all of Yahoo’s 3 billion customers. The Equifax breach was especially damaging because of the amount of
sensifive personal and financial data stored by Equifax that was stolen, and the role such data play in
securing consumers’ bank accounts, medical histories, and access to financing. In one swoop the hackers
gained access to several essenfial pieces of personal informafion that could help aftackers commit fraud.
According to Avivah Litan, a fraud analyst at Gartner Inc., on a scale of risk to consumers of 1 to 10, this
is a 10.

After taking Equifax public in 2005, CEO Smith transformed the company from a slow-growing credit-
reporfing company (1–2 percent organic growth per year) into a global data powerhouse. Equifax bought
companies with databases housing informafion about consumers’ employment histories, savings, and
salaries, and expanded internafionally. The company bought and sold pieces of data that enabled
lenders, landlords, and insurance companies to make decisions about granfing credit, hiring job seekers,
and renfing an apartment. Equifax was transformed into a lucrafive business housing $12 trillion of
consumer wealth data. In 2016, the company generated $3.1 billion in revenue.

Compefitors privately observed that Equifax did not upgrade its technological capabilifies to keep pace
with its aggressive growth. Equifax appeared to be more focused on growing data it could commercialize.

Hackers gained access to Equifax systems containing customer names, Social Security numbers, birth
dates, and addresses. These four pieces of data are generally required for individuals to apply for various
types of consumer credit, including credit cards and personal loans. Criminals who have access to such
data could use it to obtain approval for credit using other people’s names. Credit specialist and former
Equifax manager John Ulzheimer calls this is a “nightmare scenario” because all four crifical pieces of
informafion for idenfity theft are in one place.

The hack involved a known vulnerability in Apache Struts, a type of open-source software Equifax and
other companies use to build websites. This software vulnerability had been publicly idenfified in March
2017, and a patch to fix it was released at that fime. That means Equifax had the informafion to
eliminate this vulnerability two months before the breach occurred. It did nothing.

Weaknesses in Equifax security systems were evident well before the big hack. A hacker was able to
access credit-report data between April 2013 and January 2014. The company discovered that it
mistakenly exposed consumer data as a result of a “technical error” that occurred during a 2015
software change. Breaches in 2016 and 2017 compromised informafion on consumers’ W-2 forms that
were stored by Equifax units. Addifionally, Equifax disclosed in February 2017 that a “technical issue”
compromised credit informafion of some consumers who used idenfity-theft protecfion services from
LifeLock.

Analyses earlier in 2017 performed by four companies that rank the security status of companies based
on publicly available informafion showed that Equifax was behind on basic maintenance of websites that
could have been involved in transmifting sensifive consumer informafion. Cyberrisk analysis firm Cyence
rated the danger of a data breach at Equifax during the next 12 months at 50 percent. It also found the
company performed poorly when compared with other financial-services companies. The other analyses
gave Equifax a higher overall ranking, but the company fared poorly in overall web-services security,
applicafion security, and software patching.

A security analysis by Fair Isaac Corporafion (FICO), a data analyfics company focusing on credit scoring
services, found that by July 14 public-facing websites run by Equifax had expired cerfificates, errors in the
chain of cerfificates, or other web-security issues. Cerfificates are used to validate that a user’s
connecfion with a website is legifimate and secure.

The findings of the outside security analyses appear to conflict with public declarafions by Equifax
execufives that cybersecurity was a top priority. Senior execufives had previously said cybersecurity was
one of the fastest-growing areas of expense for the company. Equifax execufives touted Equifax’s focus
on security in an investor presentafion that took place weeks after the company had discovered the
aftack.

Equifax has not revealed specifics about the aftack, but either its databases were not encrypted or
hackers were able to exploit an applicafion vulnerability that provided access to data in an unencrypted
state. Experts think—and hope—that the hackers were unable to access all of Equifax’s encrypted
databases to match up informafion such as driver license or Social Security numbers needed to create a
complete data profile for idenfity theft.

Equifax management stated that although the hack potenfially accessed data on approximately 143
million U.S. consumers, it had found no evidence of unauthorized acfivity in the company’s core credit
reporfing databases. The hack triggered an uproar among consumers, financial organizafions, privacy
advocates, and the press. Equifax lost one-third of its stock market value. Equifax CEO Smith resigned,
with the CSO (chief security officer) and CIO deparfing the company as well. Banks had to replace
approximately 209,000 credit cards that were stolen in the breach, a major expense. Lawsuits are in the
works.

Unfortunately the worst impact will be on consumers themselves, because the theft of uniquely
idenfifying personal informafion such as Social Security numbers, address history, debt history, and birth
dates could have a permanent effect. These pieces of crifical personal data could be floafing around the
Dark Web for exploitafion and idenfity theft for many years. Such informafion would help hackers
answer the series of security quesfions that are often required to access financial accounts. According to
Pamela Dixon, execufive director of the World Privacy Forum, “This is about as bad as it gets.” If you have
a credit report, there’s at least a 50 percent chance or more that your data were stolen in this breach.

The data breach exposed Equifax to legal and financial challenges, although the regulatory environment
is likely to become more lenient under the current presidenfial administrafion. It already is too lenient.
Credit reporfing bureaus such as Equifax are very lightly regulated. Given the scale of the data
compromised, the punishment for breaches is close to nonexistent. There is no federally sancfioned
insurance or audit system for data storage, the way the Federal Deposit Insurance Corporafion provides
insurance for banks after losses. For many types of data, there are few licensing requirements for
housing personally idenfifiable informafion. In many cases, terms-of-service documents indemnify
companies against legal consequences for breaches.

Experts said it was highly unlikely that any regulatory body would shut Equifax down over this breach.
The company is considered too crifical to the American financial system. The two regulators that do have
jurisdicfion over Equifax, the Federal Trade Commission and the Consumer Financial Protecfion Bureau,
declined to comment on any potenfial punishments over the credit agency’s breach.

Even after one of the most serious data breaches in history, no one is really in a posifion to stop Equifax
from confinuing to do business as usual. And the scope of the problem is much wider. Public policy has
no good way to heavily punish companies that fail to safeguard our data. The United States and other
countries have allowed the emergence of huge phenomenally detailed databases full of personal
informafion available to financial companies, technology companies, medical organizafions, adverfisers,
insurers, retailers, and the government.

Equifax has offered very weak remedies for consumers. People can go to the Equifax website to see if
their informafion has been compromised. The site asks customers to provide their last name and the last
six digits of their Social Security number. However, even if they do that, they do not necessarily learn
whether they were affected. Instead, the site provides an enrollment date for its protecfion service.
Equifax offered a free year of credit protecfion service to consumers enrolling before November 2017.
Obviously, all of these measures won’t help much because stolen personal data will be available to
hackers on the Dark Web for years to come. Governments involved in state-sponsored cyberwarfare are
able to use the data to populate databases of detailed personal and medical informafion that can be
used for blackmail or future aftacks. Ironically, the credit-protecfion service that Equifax is offering
requires subscribers to waive their legal rights to seek compensafion from Equifax for their losses in
order to use the service, while Equifax goes unpunished. On March 1, 2018, Equifax announced that the
breach had compromised an addifional 2.4 million more Americans’ names and driver’s license numbers.

In late 2018, the U.S. House Commiftee on Oversight and Government Reform published a new report
on the Equifax breach. The report concluded that the incident was “enfirely preventable” and occurred
because Equifax had failed to implement an adequate security program to protect its sensifive data. But
authorifies have neither sancfioned Equifax nor addressed the deeper industry-wide flaws that the
incident exposed. Since the hack, Equifax has spent over $1 billion, including costs for lifigafion and fines,
and will have to pay a seftlement of up to $700 million to resolve invesfigafions and lawsuits stemming
from the data breach. The company confinues to do business as usual. Harmful data breaches keep
happening. In almost all cases, even when the data concerns tens or hundreds of millions of people,
companies such as Equifax and Yahoo that were hacked confinue to operate. There will be hacks—and
afterward, there will be more. Companies need to be even more diligent about incorporafing security
into every aspect of their IT infrastructure and systems development acfivifies. According to Litan, to
prevent data breaches such as Equifax’s, organizafions need many layers of security controls. They need
to assume that prevenfion methods are going to fail.

Capital One: A Big Bank Heist from the Cloud

Capital One Financial Corporafion is an American bank holding company specializing in credit cards, auto
loans, banking, and savings accounts. It is the eleventh largest bank in the United States in terms of
assets and an aggressive user of informafion technology to drive its business. Capital One was an early
adopter of cloud compufing and a major client of Amazon Web Services (AWS). Capital One has been
trying to move more crifical parts of its IT infrastructure to Amazon’s cloud infrastructure in order to
focus on building consumer applicafions and other needs.
On July 29, 2019, Capital One and its customers received some very bad news. Capital One had been
breached, exposing over 140,000 Social Security numbers, 80,000 bank account numbers, tens of
millions of credit card applicafions, and one million Canadian social insurance numbers (equivalent to
Social Security numbers in the US). It was one of the largest thefts of data ever from a bank.

The culprit turned out to be Paige Thompson, a former employee of Amazon Web Services, which hosted
the Capital One database that was breached. Thompson was arrested in Seaftle and charged with one
count of computer fraud and abuse. She had worked for the same server business that court papers said
Capital One was using. Thompson could face up to five years in prison and a $250,000 fine.

The bank believed it was unlikely that Thompson disseminated the informafion or used it for fraud. But it
will sfill cost the bank up to $150 million, including paying for credit monitoring of affected customers.

Amazon Web Services hosts remote servers that organizafions use to store their data. Large enterprises
such as Capital One build their own web applicafions using Amazon’s cloud servers and data storage
services data so they can use the informafion for their specific needs.

The F.B.I. agent invesfigafing the breach reported that Ms. Thompson had gained access to Capital One’s
sensifive data through a “misconfigurafion” of a firewall on a web applicafion. (A firewall monitors
incoming and outgoing network traffic and blocks unauthorized access.) This allowed her to
communicate with the server where Capital One was storing its data and customer files. Capital One
stated it had immediately fixed the configurafion vulnerability once it had been detected. Amazon said
its customers fully control the applicafions they build and that it had found no evidence that its
underlying cloud services had been compromised.

Thompson was able to access and steal this sensifive informafion only because Capital One had
misconfigured its Amazon server. Thompson could then trick a system in the cloud to uncover the
credenfials she needed to access Capital One’s customer records. Thompson’s crime was considered an
insider threat, since she had worked at Amazon years earlier. However, outsiders also try to search for
and exploit this type of misconfigurafion, and server misconfigurafions are commonplace.
Misconfigurafions are also easily fixed, so many do not consider them a breach. Somefimes it’s difficult
to determine whether finkering with misconfigurafions represents a criminal acfivity or security
research.

Thompson was able to tap into Amazon’s metadata service, which has the credenfials and other data
required to manage servers in the cloud. Ms. Thompson ran a scan of the Internet to idenfify vulnerable
computers that could provide access to a company’s internal networks. She found a computer managing
communicafions between Capital One’s cloud and the public Internet that had been misconfigured, with
weak security seftings. Through that opening Thompson was able to request the credenfials required to
find and read Capital One data stored in the cloud from the metadata service. Once Thompson located
the Capital One data, she was able to download them without triggering any alerts. Thompson also
boasted online that she had used the same techniques to access large amounts of online data from
other organizafions.

Amazon has stated that none of its services, including the metadata service, were the cause of the break-
in and that AWS offers monitoring tools for detecfing this type of incident. It is unclear why none of
these alerfing tools triggered an alarm when Thompson was hacking into Capital One. Thompson began
hacking Capital One on March 12, 2019, but went undetected unfil an outside researcher fipped off
Capital One 127 days later. According to C. J. Moses, deputy chief informafion security officer for AWS,
Amazon restricts most staff members from accessing its broader internal infrastructure in order to
protect against “wifting or unwifting” data breaches.

Security professionals have known about misconfigurafion problems and the ability to steal credenfials
from the metadata service since at least 2014. Amazon believes it is the customer’s responsibility to
solve them. Some customers have failed to do so. When security researcher Brenton Thomas conducted
an Internet scan in February 2019, he found more than 800 Amazon accounts that allowed similar access
to the metadata service. (Amazon’s cloud compufing service has over one million users.) But Thomas
also found other cloud compufing companies with misconfigured services as well, including Microsoft’s
Azure cloud.

Whatever the cloud service, the pool of talent capable of launching similar aftacks is expanding. Given
the nature of cloud services, any person who has worked on developing technology at any of the major
cloud compufing companies can learn how these systems work inpracfice.

Capital One had a reputafion for strong cloud security. The bank had conducted extensive due diligence
before deciding to move to cloud compufing in 2015. However, before the giant data breach, Capital One
employees had raised concerns internally about high turnover in the company’s cybersecurity unit and
tardiness in installing some software to help spot and defend against hacks. The cybersecurity unit is
responsible for ensuring Capital One’s firewalls are properly configured and for scanning the Internet for
evidence of a data breach. In recent years there have been many changes among senior leaders and
staffers. About a third of Capital One’s cybersecurity employees left the company in 2018.