Capital One Fined $80 Million Over 2019 BreachReport Finds Bank Failed to Properly Assess Risk of Moving Data to the Cloud
A federal banking regulator has fined Capital One $80 million, citing numerous security shortfalls before the 2019 data breach that exposed the financial and personal information of over 100 million individuals in the U.S. and Canada.
The U.S. Office of the Comptroller of the Currency, which is part of the Treasury Department, issued the fine Thursday. The regulator also published a report that found the bank did not properly assess the risk of moving its data to the cloud starting in 2015, and that internal audits did not recognize these security weaknesses. The breach apparently involved exfiltration of data from a cloud-based repository (see: Woman Arrested in Massive Capital One Data Breach).
"The bank failed to establish effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment," according to the OCC report. "The bank also failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts."
Compliance Committee Mandated
The OCC also ordered Capital One to create an independent compliance committee that will report to the bank's board of directors. This committee must submit its first report by Oct. 30 and then create a plan describing how the company will address compliance and security issues.
After that, the compliance committee must submit regular reports to the board.
Capital One has also voluntarily entered into consent agreements with the OCC and the Federal Reserve Board, pledging to address cybersecurity issues and customer data protection.
Bank Says Security Enhanced
A Capital One spokesperson, who declined to directly comment on the fine, noted that the company has changed many of its security policies since the 2019 breach.
"Safeguarding our customers’ information is essential to our role as a financial institution,” the Capital One spokesperson tells Information Security Media Group. “The controls we put in place before last year’s incident enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker. In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses and have made substantial progress in addressing the requirements of these orders."
2019 Capital One Breach
The massive data breach at Capital One was discovered in July 2019.
The exposed data included the personal and financial information of 100 million Americans as well as 6 million Canadians.
The FBI and U.S. Justice Department have charged Paige A. Thompson, who lives in the Seattle area, with accessing the company's cloud-based repository of credit card applications after allegedly taking advantage of a misconfigured firewall, according to an earlier criminal complaint filed in the case (see: Paige Thompson Charged With Hacking 30 Organizations).
Thompson worked for a time at Amazon Web Services, which is the cloud provider that Capital One used for its internal IT infrastructure. During her time with Amazon, Thompson worked on projects involving the company's Simple Cloud Storage Service - aka Amazon S3 - and security experts have suggested that she may have discovered weaknesses in Capital One's implementation of the technology, which then allowed her to exfiltrate the data (see: Capital One's Breach May Be a Server Side Request Forgery).
While federal prosecutors allege that Thomson took data from Capital One and possibly dozens of other companies, they say she apparently did not attempt to sell the information. She allegedly posted some of the information to GitHub, which tipped off Capital One and law enforcement to the breach, according to the FBI (see: Prosecutors Allege Capital One Suspect Stole From Many Others).
Thompson has pleaded not guilty to federal charges of wire fraud and computer crime and abuse. She remains free on bail while awaiting trial, which is now scheduled for February 2021 due to the complexity of the case and delays because of the COVID-19 pandemic, according to federal court documents.