Capital One Financial Corp has been hit with a $80 million fine after incurring a huge data breach one year ago.
US banking regulator the Office for the Comptroller of the Currency issued this penalty because the bank did not carry out appropriate risk assessment when migrating its data to the AWS cloud, which led to the details of over 100 million of its customers being leaked online.
The OCC called out Capital One for its “failure to establish effective risk assessment processes prior to mitigating significant information technology operations to the public cloud environment” in a statement released yesterday by the regulatory body.
Capital One Data Breach
The leak took place in July 2019. The bank announced that the personally identifiable information (PII), which included names and addresses, of over 100 million customers in the US and six million in Canada had been obtained by a hacker.
The actor suspected of the breach was a former employee of Amazon Web Systems, the chosen cloud provider of Capital One. The leak did not include any banking or credit card information, but did contain over 140,000 social security numbers and 80,000 linked bank account numbers, as reported by Reuters.
The regulatory body explained its position:
“In taking this action, the OCC positively considered the bank’s customer notification and remediation efforts. While the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers.
“The OCC found the noted deficiencies to constitute unsafe or unsound practices and resulted in noncompliance with Interagency Guidelines Establishing Information Security Standards”.
The penalty consent order from the OCC sites the fault to have been in the 2015 internal audit at the US bank. According to the order, the audit failed to hold management to account or to highlight numerous control gaps in the cloud operating environment:
“The internal audit failed to identify numerous control weaknesses and gaps in the cloud operating environment.
“The audit also did not effectively report on and highlight identified weaknesses and gaps to the Audit Committee. For certain concerns raised by the internal audit, the Board failed to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses”.
The OCC has ordered Capital One to submit a new risk assessment plan within 90 days to overhaul the Banks “Cloud and legacy technology operating environments”.
Stuart Reed, UK Director, Orange Cyberdefense, said: “The fine handed out to CapitalOne yesterday is another stark reminder of the financial implication of failing to fully assess cybersecurity risk. It is also a reminder of the potential challenges of migrating data from their physical IT to the cloud. Something that more and more organisations are seeking to do. This underlines the importance of building in robust cybersecurity from the outset to enable sustainable digital success without risking financial consequences and penalties that will hit an organisation’s bottom line.”
“The case against Capital One underlines the expectation that organisations demonstrate best security practice at all times. It is imperative that organisations recognise that the onus is on them to make sure they have done everything they can to protect customer data. Otherwise, the consequences can be complex and extremely costly.
“Organisations need to adopt a mature cybersecurity posture, applying a layered approach that includes people, process, and enabling technologies to reduce the risk, minimise the impact of a breach should one occur, and demonstrate diligence and best practice to both customers and governing bodies.
“With huge financial penalties awaiting any company that fails safeguard customers and their data, the task at hand may feel quite overwhelming, but it need not be. Organisations can create a safer digital society, and there is a wealth of expertise available to work on partnership and create a cybersecurity framework that suits their needs.”