Dive Brief:
- Capital One will pay an $80 million penalty for last year's data breach involving more than 106 million individuals, regulators said Thursday.
- The Office of the Comptroller of the Currency (OCC) said its consent order is based on the bank's "failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner."
- In conjunction with the OCC, the Federal Reserve issued a cease and desist order against the bank. The Fed said the bank's board of directors must submit a written plan within 90 days outlining how it intends to improve its risk management program and internal controls for protecting customer data. The Fed's enforcement action does not include a monetary penalty.
Dive Insight:
Capital One's data breach was one of the largest to hit a financial services company, affecting about 100 million people in the U.S. and another 6 million in Canada, the bank announced last year.
That hack occurred after a former employee of Capital One's cloud hosting company, Amazon Web Services, gained access to the bank's customer data by exploiting a misconfigured web application firewall. At the time of the incident, AWS distanced itself from responsibility of the flaw, as the compromised "Server-Side Request Forgery" (SSRF) vulnerability fell into the bank's purview.
Cloud providers don't protect a customer's data assets outside the physical security of their proprietary technology. The compromised data, connected to credit card applications filed between 2005 and 2019, included names, postal codes, birth dates and self-reported income. The breach also exposed credit scores, credit limits, balances, payment history and fragmented transaction history from 2016 to 2018.
In June, a U.S. District Court granted plaintiffs the right to review Capital One's forensics analysis of the breach. The investigation was overseen by then-interim CISO Mike Eason. In April, the company onboarded Chris Betz as CISO, and Goldman Sachs' former CISO Andy Ozment to oversee technology risk.
The OCC said the McLean, Virginia-based bank "failed to establish appropriate risk management" and "failed to identify numerous control weaknesses and gaps in the cloud operating environment."
The bank's board "failed to take effective actions to hold management accountable" and the bank "engaged in unsafe or unsound practices that were part of a pattern of misconduct," the OCC said.
Because the alleged hacker Paige "erractic" Thompson exploited the SSRF vulnerability and used privilege escalation for the breach, Capital One's security procedures fell short of proper access code standards. Certain privileges should be only available on a need-to-know basis.
The OCC, however, said it "positively considered" the bank's customer notification and remediation efforts following the hack. The bank notified impacted customers within 10 days of the intrusion's discovery.
"Safeguarding our customers' information is essential to our role as a financial institution," a Capital One spokesperson said. "The controls we put in place before last year's incident enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker."
"In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders," the spokesperson added. "We appreciate our regulators' recognition of our positive customer notification and remediation efforts, and remain committed to working closely with them to ensure that we meet the highest standards of protection for our customers."