Capital One agrees to $80M fine, cybersecurity consent order for 2019 data breach
Capital One Financial Corp. today agreed to pay an $80 million fine and enter into a consent order to boost its cybersecurity in a settlement that follows the theft of more than 100 million customer records disclosed in July 2019.
The settlement with the Federal Reserve Board and the Office of the Comptroller of the Currency sets out a series of steps Capital One must take to improve its risk-management program and internal controls in relation to both cybersecurity and information security.
The breach was caused by Capital One leaving customer data on an exposed Amazon Web Services Inc. S3 storage “bucket.” The data itself consisted of credit card applications that included names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income.
The applications also included “portions of credit card customer data” including credit scores, credit limits, balances, payment history and contact information. In addition, the data included 140,000 Social Security numbers along with 80,000 linked bank account numbers.
At the time Capital One blamed the hack on a “sophisticated individual [who] was able to exploit a specific configuration vulnerability in our infrastructure.” Despite exposing the data to all and sundry, under the terms of the consent order Capital One has neither admitted nor denied any wrongdoing.
“The OCC took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner,” the OCC said in a statement. “While the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers.”
Separately, the Washington Business Journal reported that the Federal Reserve requires Capital One to comply with the OCC order and to submit a series of written plans within 90 days to strengthen oversight of Capital One’s risk management program, its internal controls and governance and other items identified by the Fed.
Whether Capital One can comply with the requirements is another matter. Casey Kraus, president of cloud security management start-up Senserva LLC, told SiliconANGLE that it’s likely to be a tough task for the board to complete and make effective.
“Companies do not operate with the intention of getting breached, so Capital One may not understand all the possible exposures they had,” Kraus explained. “It would be difficult for them to write a plan for improvement without knowing all the areas in which they can improve.”
If Capital One produces the requested document, it will satisfy the internal security processes they will document and it may be enough for the Fed, he said. “However, there is always a risk to the end consumer because there will always be bad agents out there that are trying to exploit any possible exposure that is available, or will become available as technology continues to evolve,” he added.
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.