Capital One fined $80m for data breach

Capital One has agreed to a $80 million fine from US regulators over last year's hack which exposed the personal information of more than 100 million customers and applicants.

The Office of the Comptroller of the Currency (OCC) calculated the fine based on a "failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner".

Capital One revealed last July that a hacker accessed information relating to about 100 million American and six million Canadian customers that was stored on Amazon Web Services cloud servers.

The following month, software engineer Paige Thompson was indicted for wire fraud and computer data theft related to alleged unauthorised intrusion into stored data of more than 30 companies, including Capital One.

According to the indictment, Thomson created scanning software that allowed her to identify customers of AWS who had misconfigured their firewalls, allowing outside commands to penetrate and access their servers.

The US regulator also demanded that Capital One improve its risk management programme and related governance and controls, specifically around cyber security.

Commenting on the fine, Mark Bower, senior vice president at data security specialist comforte AG, said that the signal is very clear: the often referenced shared responsibility cloud model means nothing when it’s your data.

"What’s very surprising about this breach is, per Capital One’s prior announcements, only a fraction of the regulated data was properly tokenised - credit card and SSN data - and the rest accessible under attack," he explained, adding that had tokenisation been applied across the full regulated data set, this breach would have been a non-event.

"This fine is the tip of the iceberg - the true cost of remediation, impact, and the reputational loss is likely to be a lot higher - this may also set the tone for secondary litigation, where cost impact can escalate."

    Share Story:

Recent Stories