A regulator in the U.S. has ordered Capital One to pay $80 million for its role in a widespread data breach that saw details of more than 100 million of its customers exposed in a hack.
The news comes after the Office of the Comptroller of Currency, a division within the US Treasury Department released a report stating that Capital One had failed “to establish effective risk assessment processes” that eventuated in 106 million of its customers having their personal information leaked.
In a statement, the OCC says that the “OCC took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant technology operators to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.”
Reports state that while the data breach occurred in March and April of 2019, the bank itself wasn’t aware of the breach until mid-July, where someone tipped the company to an online file stored on GitHub.
That led federal investigators to Paige Thompson, a former cloud engineer who worked at Amazon, who was charged with computer and wire fraud. Prosecutors say that Thompson exploited a “configuration vulnerability” that allowed her to view Capital One customers, as well as their private information, which she posted online.
Thompson has pleaded not guilty to the charges, and her trail is set to take place some time next year.
According to a report from the Wall Street Journal, “consent orders from the OCC and the Federal Reserve also required the bank to make risk-management changes and beef up its cybersecurity defenses.”
Interestingly, that report mentions that “before the hack was made public, Capital One employees had raised concerns about what they saw as a high turnover in its cybersecurity unit and a failure to promptly install some software that could have helped to spot and defend against hacks.”
Part of these risk-management changes will see Capital One create a compliance committee by the end of the month, which will meet on a quarterly basis, and will create an action plan derived from improved cybersecurity policies and risk-based thinking in terms of their IT system.
A spokesperson from Capital One has told CNN Business that “safeguarding our customers’ information is essential to our role as a financial institution.”
They added that “in the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders.”
They concluded by stating that Capital One is aiming to meet “the highest standards of protection for its customers.”
Stuart Reed, the UK director of Orange Cyberdefense has told Infosecurity Magazine that “the fine handed out to Capital One is another stark reminder of the financial implications of failing to fully assess cybersecurity risk. It is also a reminder of the potential challenges of migrating data from physical IT to the cloud, something that more and more organisations are seeking to do.”
Reed continues to explain that the fine “underlines the expectation that organisations demonstrate best security practice at all times.”
That same report quotes Mark Bower, vice-president of comforte AG, who said that the case “mirrors how we’ve seen industry regulators rip into ineffective controls over data protection.”
Bower said that “the signal is very clear: the often referenced shared responsibility cloud model means naught when it’s your data… what’s very surprising about this breach is, per Capital One’s prior announcements, only a fraction of the regulated data was properly tokenized and the rest accessible under attack. Had tokenization been applied across the full regulated data set, this breach would have been a non-event,” he said.