[BreachExchange] Capital One ordered to pay $80 million penalty for its role in a 2019 data breach

Destry Winant destry at riskbasedsecurity.com
Mon Aug 10 10:25:33 EDT 2020


https://www.theverge.com/2020/8/8/21359761/capital-one-80-million-fine-2019-data-breach

Capital One will pay an $80 million civil penalty for its role in a
2019 security breach that exposed the personal data of more than 100
million customers, The Wall Street Journal reported. In a scathing
report on its investigation into the breach, the Office of the
Comptroller of Currency, part of the US Treasury. said Capital One was
aware its security practices were woefully insufficient, and that the
company’s board of directors “failed to take effective actions to hold
management accountable.”

The breach happened in March and April of 2019, but Capital One was
apparently not aware of the problem until mid-July. That’s when
someone tipped the company to a public GitHub page where private
Capital One data was available. That led investigators to former
Amazon cloud employee Paige Thompson, who was charged with wire fraud
and computer fraud. Authorities say Thompson was able to exploit a
“configuration vulnerability” to extract the Capital One customers’
information and post it to message boards. She pleaded not guilty to
the charges and her trial is scheduled for next year.

“The OCC took these actions based on the bank’s failure to establish
effective risk assessment processes prior to migrating significant
information technology operations to the public cloud environment and
the bank’s failure to correct the deficiencies in a timely manner,”
the OCC said in a statement announcing the penalty.

As part of a consent order from OCC, Capital One must establish a
compliance committee by the end of August, which will meet quarterly
beginning in October and provide regular updates. The company is
required to create an action plan to detail what steps it’s taking to
improve security.

A Capital One spokesperson said in an email to The Verge that controls
the company put in place before last year’s incident “enabled us to
secure our data before any customer information could be used or
disseminated and helped authorities quickly arrest the hacker.” Since
the incident, the spokesperson added, the company has “invested
significant additional resources into further strengthening our cyber
defenses, and have made substantial progress in addressing the
requirements of these orders.”

The penalty will be paid to the Treasury department.


More information about the BreachExchange mailing list