Business Continuity Management / Disaster Recovery , Cybercrime , Fraud Management & Cybercrime
Following Massive Breach, Capital One Replacing CISO: Report
Bank Reportedly Will Look Outside the Company for Security LeadershipNearly four months after Capital One revealed massive data breach, Michael Johnson, the bank's CISO, is being moved into an outside advisory role, and the company is scouting for a new security leader, according to the Wall Street Journal.
See Also: Gartner Market Guide for DFIR Retainer Services
Bank employees were told Thursday that Johnson would leave the CISO position, which he had held since 2017, the newspaper reports. As Capital One prepares to find a new security leader, Mike Eason, the CIO of the company's commercial bank operation, will take over on an interim basis, according to the Journal.
Following the announcement of the breach, almost a dozen of the cybersecurity professionals employed at the bank quit due to differences with Johnson, the Wall Street Journal reports, citing interviews with employees who asked to remain anonymous. The employees reportedly had raised concerns about the company’s failure to install certain software to help spot and defend against hacks, the newspaper reports.
Capital One did not respond to a request for comment on Friday.
On Friday, Johnson's LinkedIn profile still listed him as Capital One's CISO. In addition, Easton's LinkIn profile still listed him as CIO of the commercial banking division. And while Easton has extensive experience in IT and technology, his profile does not list any specific cybersecurity experience.
Massive Breach
The shakeup in Capital One's security division comes after the company confirmed in August that a hacker stole data from the bank for 100 million U.S. individuals as well as 6 million Canadians (see: Capital One: Where Did the Bank Fail on Defense?).
In July, Paige A. Thompson was charged with hacking into the Capital One network and accessing the bank's data. Federal prosecutors also believe she used similar techniques to access data from over 30 other organizations over several months, and they say she could face additional charges. Earlier this week, Thompson was released from federal custody until her trial, slated to being early next year (see: Alleged Capital One Hacker Released From Prison).
Sometime between March and July, Thompson allegedly took advantage of a misconfigured firewall within Capital's One network and then gained access to several years' worth of credit card data stored within the company's cloud storage system, according to the federal indictment.
To bypass security within the organizations she targeted, Thompson allegedly created tools to scan servers hosted by a cloud computing company, according to the indictment. She looked for misconfigured web application firewalls that would allow her to send commands from outside the networks to access the data stored within the networks, prosecutors allege.
Although the cloud provider involved is not specified the indictment, Capital One has previously stated that it uses Amazon Web Services for its cloud infrastructure and that it also uses the company's Simple Cloud Storage Service, or Amazon S3, to store its data. Thompson briefly worked at AWS, according to news reports.
Security Scapegoats
After major breaches, the loss of public trust can lead to the end of careers for powerful executives, says Charles King, president and analyst at Pund-IT, an independent IT consulting firm based in Hayward, California.
"While CEOs and other C-level executives sometimes appear to have few restraints on their personal behavior, most are required to follow a handful of simple rules: Don't damage the company, embarrass the board of directors, injure shareholders or anger customers," King tells Information Security Media Group. "Being victimized by cybercriminals seeking valuable consumer data ticks all of these boxes, so it's not unusual for the senior executives responsible to pay the ultimate job-related price."
In the wake of a massive 2017 data breach, Equifax announced CSO Susan Maudlin would "retire" (see: More Questions Raised After Equifax CIO, CSO 'Retire').
Other CISOs and security heads that have been ousted following a breach include Uber's CSO Joe Sullivan and his deputy, Craig Clark, who allegedly covered up a breach in 2017 that exposed the personal information of 57 million (see: Fast and Furious Data Breach Scandal Overtakes Uber).
And sometimes it goes even further up the corporate ladder. In 2014, the CEO of Target, Gregg Steinhafel, resigned following a breach that affected as many as 70 million of the retailer’s customers, costing the company about $1 billion in clean-up costs and lawsuits.