Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsFederal Regulator Fines Capital One $80 million for Security Oversights Resulting in One of the Largest Financial Data Breaches
The Office of the Comptroller of the Currency has ordered Capital One to pay $80 million in settlement of the federal charges over the 2019 hack of the bank’s computer systems, resulting in one of the largest financial data breaches. As a result of the hack, carried out by a single individual, 140,000 Social Security numbers and 80,000 linked bank account numbers were compromised. The accused hacker was a former employee of a cloud provider where the bank had moved its data. The hacker allegedly created a program to scan cloud customers for a specific web application firewall misconfiguration and then exploited it to extract privileged account credentials for victim databases and other web applications.
According to the Consent Order, Capital One failed to establish effective risk assessment processes prior to migrating its information technology operations to the cloud. The bank also failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts. In addition, the bank’s internal audit failed to identify numerous control weaknesses and gaps in the cloud operating environment and did not effectively communicate identified weaknesses and gaps to the Audit Committee. The bank’s Board, in turn, failed to take effective actions to hold management accountable with respect to certain concerns raised by internal audit.
In addition to paying the fine, Capital One would be required to establish a compliance committee and create an action plan to detail what steps it is taking to improve security.
For businesses transitioning to or conducting their information technology operations in the cloud environment, robust security is essential. It is imperative for companies to conduct privacy and security risk assessments and establish appropriate risk management controls, including effective communication and accountability mechanisms, particularly when processing sensitive financial and personal data.
Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653
