Capital One fined £61.3m by regulator for 2019 data breach

The Office of the Comptroller of the Currency (OCC), a banking regulator in the U.S., has imposed a civil money penalty of $80 million (£61.3 million) on Capital One Financial Corp for failing to prevent a massive data breach that compromised the personal information of about 100 million U.S. citizens.

The data breach took place in July last year when Paige Thompson, a 33-year-old software engineer formerly employed by a Seattle technology company, gained access to databases owned by Capital One and stole vast amounts of personal data about Capital One credit card customers and individuals who had applied for new credit cards.

In a press release published in September last year, Capital One said that Thompson was able to get her hands around the personal data of consumers and small businesses who had applied for credit card products between 2005 and early 2019.

Information stolen by her included about 140,000 Social Security numbers, about 80,000 linked bank account numbers, credit scores, credit limits, balances, payment history, contact information, and transaction data of Capital One's credit card customers.

Thompson was also able to steal credit card application data that contained names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income of credit card applicants in the United States and Canada. Overall, the data breach compromised the personal information of approximately 100 million individuals in the United States and approximately 6 million in Canada.

Thompson was indicted on 28th August last year by a federal grand jury in the U.S. District Court in Seattle on two counts of unauthorised intrusion into stored data of more than 30 different companies, including Capital One.

"Thompson created scanning software that allowed her to identify customers of a cloud computing company who had misconfigured their firewalls, allowing outside commands to penetrate and access their servers. Thompson used this access not only to steal data, but also used stolen computer power to “mine” cryptocurrency for her own benefit, a practice known as “cryptojacking,” said the Department of Justice.

Capital One failed to manage risks in the cloud operating environment prior to the breach

On Wednesday, banking regulator OCC (Office of the Comptroller of the Currency) decided to impose a monetary penalty of $80 million (£61.3 million) on Capital One, stating that the bank failed to "establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment".

It also observed that Capital One failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts. The bank's internal audit also failed to identify numerous control weaknesses and gaps in the cloud operating environment.

"While the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers. The OCC found the noted deficiencies to constitute unsafe or unsound practices and resulted in noncompliance with 12 C.F.R. Part 30, Appendix B, "Interagency Guidelines Establishing Information Security Standards," the regulator added.

Commenting on the fine imposed on Capital One, Stuart Reed, UK Director of Orange Cyberdefense, said that the fine is another stark reminder of the financial implication of failing to fully assess cybersecurity risk. It is also a reminder of the potential challenges of migrating data from their physical IT to the cloud, something that more and more organisations are seeking to do.

"This underlines the importance of building in robust cybersecurity from the outset to enable sustainable digital success without risking financial consequences and penalties that will hit an organisation's bottom line.

"Organisations need to adopt a mature cybersecurity posture, applying a layered approach that includes people, process, and enabling technologies to reduce the risk, minimise the impact of a breach should one occur, and demonstrate diligence and best practice to both customers and governing bodies.

"With huge financial penalties awaiting any company that fails safeguard customers and their data, the task at hand may feel quite overwhelming, but it need not be. Organisations can create a safer digital society, and there is a wealth of expertise available to work on partnership and create a cybersecurity framework that suits their needs," he added.

Copyright Lyonsdown Limited 2020