Capital One Financial Corp has agreed to pay an $80 million penalty after the bank suffered a massive data breach that affected more than 100 million customer records in July 2019.
The breach was the result of an unsecured Amazon S3 bucket that housed credit card applications with names, addresses, zip codes/postal codes, phone numbers, email addresses and dates of birth of customers. The exposed data also included 140,000 Social Security numbers, 80,000 of which linked bank account numbers.
According to a notice posted by Capitol One on July 19, 2019, “we determined that an outside individual gained unauthorized access and obtained certain types of personal information about Capital One credit card customers and individuals who had applied for our credit card products.”
The “outside individual” was later identified as a 33-year-old software engineer from Seattle, who was charged with breaching Capital One and 30 additional organizations to mine cryptocurrency.
In addition to the financial settlement, the Capital One is required to focus on its risk-management program and internal controls to boost cyber- and information security.
“The OCC took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner,” the Office of the Comptroller of the Currency (OCC) said.
“In taking this action, the OCC positively considered the bank’s customer notification and remediation efforts. While the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers.”
The bank must comply with the OCC Consent Order, and within a 90-day deadline submit a written “Risk Assessment Plan” that should include:
• Documentation of expected and potential threats of material changes to the cloud and legacy technology environments and mitigating controls orremediation plans to address such threats
• Risk mitigation testing from the beginning and throughout the new project life cycle
• A threat inventory for use in risk assessment processes