Capital One has been fined $80m following its breach last year.
According to a statement from the Office of the Comptroller of the Currency (OCC), these actions were taken against Capital One “based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner”.
The breach occurred in March 2019, when a former employee of Capital One named Paige Thomson exfiltrated the data of 100 million people in the US and six million in Canada, exploiting a weakness in the configuration of perimeter security controls to gain access to sensitive files housed in its cloud storage.
Capital One blamed a “configuration vulnerability” as the customer data was exfiltrated from an AWS S3 data storage service and moved to a Github site. At the time, Capital One said the breached information “included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income.”
In taking the financial action, the OCC said it considered the bank’s customer notification and remediation efforts, and while it “encourages responsible innovation” in all banks it supervises, “sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers.”
Stuart Reed, UK director, Orange Cyberdefense, said: “The fine handed out to Capital One yesterday is another stark reminder of the financial implication of failing to fully assess cybersecurity risk. It is also a reminder of the potential challenges of migrating data from physical IT to the cloud, something that more and more organizations are seeking to do.”
Reed said the case against Capital One “underlines the expectation that organizations demonstrate best security practice at all times” and it is imperative that organizations recognize that the onus is on them to make sure they have done everything they can to protect customer data. “Otherwise, the consequences can be complex and extremely costly,” he said.
Mark Bower, senior vice-president at data security specialist comforte AG, said the fine “mirrors how we’ve seen industry regulators rip into ineffective controls over data protection.
“The signal is very clear: the often referenced shared responsibility cloud model means naught when it’s your data,” he added. “What’s very surprising about this breach is, per Capital One’s prior announcements, only a fraction of the regulated data was properly tokenized (credit card and SSN data), and the rest accessible under attack. Had tokenization been applied across the full regulated data set, this breach would have been a non-event.”