Bank regulators dropped the hammer on Capital One, with the Office of the Comptroller of the Currency (OCC) levying an $80 million fine and the Federal Reserve filing a cease and desist order that specified what the steps the bank needed to take to redeem itself after a massive data breach in 2019 that compromised the personal data of more than 100 million of its customers.
The OCC fined Capital One, N.A. and Capital One Bank (USA), N.A. “based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.”
Hacker Paige Thompson, who revealed her actions on GitHub, leveraged a misconfigured web application firewall in March 2019 to access the Capital One’s files, hosted on Amazon Web Services S3 servers.
The storage buckets contained data that Americans and Canadians filled out on their credit card application forms, including names, addresses, zip/postal codes, phone numbers, email addresses, birth dates and self-reported income. Other compromised data included credit scores, credit limits, balances, payment histories, contact information, fragments of transaction data and, in a small subset of cases, Social Security numbers, linked bank account numbers and social insurance numbers.
While the OCC said it “positively considered the bank’s customer notification and remediation efforts” and advocates “responsible innovation” in banks under its purview, the regulator stressed that “sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers.” Capital One’s deficiencies added up to unsafe or sound practices that caused the bank to fall out of compliance with governing security standards.
The Fed called on Capital One “to enhance its risk-management program and related governance and controls, specifically around cybersecurity and information security” and compelled the bank’s board of directors to submit its plans to do so within 90 days.
Among the requirements are ensuring “senior management maintains an effective operational risk management program and internal controls” and provide a review and oversight mechanism that has teeth as well as create a reporting function and ensure that “operational risk management and internal control issues are appropriately tracked, escalated, and reviewed,” according to the cease and desist order.
“Capital One’s fine of $80 million is a good reminder to take a look back at what caused the attack to begin with. Noting that the “breach was caused by an SSRF (Server Side Request Forgery), that took advantage of a vulnerability that came about because of the interaction of two different components of their application infrastructure,” K2 Cyber Security Co-founder and CTO Jayant Shukla said, “It’s too easy to get caught up in verifying the security of individual components of an application, and too easy to overlook the interaction between components, especially third party access and integration, like the one where the Capital One flaw began”
That’s why, Shukla said, “the requirement imposed on Capital One to improve its risk management and governance program is so important.”
Casey Kraus, president Senserva, said the plan required by the Fed “likely will be a tough task for the board to completed and be effective.” Since companies don’t “operate with the intention of getting breached, so Capital One may not understand all the possible exposures they had,” Kraus said. “It would be difficult for them to write a plan for improvement without knowing all the areas in which they can improve.”
If the financial firm produces the document requested by the Fed, “it will satisfy the internal security processes they will document and/or establish here” and that should be enough for the Fed, he said. “However, there is always risk to the end consumer because there will always be bad agents out there that are trying to exploit any possible exposure that is available, or will become available as technology continues to evolve.”
The regulatory strictures – and fine – dropped on Capital One should serve as a cautionary tale for other organizations, which “can learn from this that when it comes to security, you should always be trying to improve with each and every day,” said Kraus. “All it takes is one bad guy with one mistake to cause massive problems for an organization.”