You are currently viewing Capital One, AWS, and data security: The world will come around to our approach

Most people most of the time think we’re crazy, that our approach to data security is frankly too much. But this past week, when Capital One announced a data breach that exposed the private data of more than 100 million unsuspecting consumers, I was reminded of why we take the approach we do — and why the world will eventually come around.

Capital One and Amazon Web Services (AWS) — the infrastructure provider for Capital One, SurveyCTO, and many of the other companies and services you know and trust — blame a “misconfigured firewall” for the breach. 

Question #1: Why is there only a single very-complex-to-configure firewall sitting between hackers and private data as sensitive as social security numbers and dates of birth?

It then emerged that the alleged hacker is a former AWS employee. As yet, I haven’t seen any claim that she learned about potential or actual vulnerabilities while on the job at AWS, but it raises an important question about AWS employees.

Question #2: What level of access do the multinational fleets of highly-technical AWS employees and contractors have to data housed on AWS systems?

When we push SurveyCTO users to encrypt their sensitive data using their own private encryption keys and bend over backwards to ensure that we never see those private keys, it’s not because we don’t necessarily trust ourselves to treat that private data responsibly. Of course, we think quite highly of our team and the measures we put in place to safeguard private data. But humans being humans and computers being computers, mistakes do happen. And we rely on providers like AWS to provide cost-effective cloud infrastructure for our services, which means that there are many more humans and many more computers added into the mix — all of which can be points of failure.

Our commitment to and advocacy for private-key encryption methods stems from a deep desire to safeguard sensitive data, to inoculate it against potential points of failure or exposure.

If you’re a SurveyCTO user and haven’t been making full use of our encryption features, let this Capital One breach be a reminder to you. And if you haven’t been using a data-collection solution that makes it easy to strongly encrypt your data, consider switching to a solution like SurveyCTO.

Try SurveyCTO today

Chris Robert


Chris is the founder of SurveyCTO. He now serves as Director and Founder Emeritus, supporting Dobility in a variety of part-time capacities. Over the course of Dobility’s first 10 years, he held several positions, including CEO, CTO, and Head of Product.

Before founding Dobility, he was involved in a long-term project to evaluate the impacts of microfinance in South India; developed online curriculum for a program to promote the use of evidence in policy-making in Pakistan and India; and taught statistics and policy analysis at the Harvard Kennedy School. Before that, he co-founded and helped grow an internet technology consultancy and led technology efforts for the top provider of software and hardware for multi-user bulletin board systems (the online systems most prominent before the Internet).