Capital One fined $80m for data breach

Capital One has agreed to a $80 million fine from US regulators over last year's hack which exposed the personal information of more than 100 million customers and applicants.

The Office of the Comptroller of the Currency (OCC) calculated the fine based on a "failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner".

Capital One revealed last July that a hacker accessed information relating to about 100 million American and six million Canadian customers that was stored on Amazon Web Services cloud servers.

The following month, software engineer Paige Thompson was indicted for wire fraud and computer data theft related to alleged unauthorised intrusion into stored data of more than 30 companies, including Capital One.

According to the indictment, Thomson created scanning software that allowed her to identify customers of AWS who had misconfigured their firewalls, allowing outside commands to penetrate and access their servers.

The US regulator also demanded that Capital One improve its risk management programme and related governance and controls, specifically around cyber security.

Commenting on the fine, Mark Bower, senior vice president at data security specialist comforte AG, said that the signal is very clear: the often referenced shared responsibility cloud model means nothing when it’s your data.

"What’s very surprising about this breach is, per Capital One’s prior announcements, only a fraction of the regulated data was properly tokenised - credit card and SSN data - and the rest accessible under attack," he explained, adding that had tokenisation been applied across the full regulated data set, this breach would have been a non-event.

"This fine is the tip of the iceberg - the true cost of remediation, impact, and the reputational loss is likely to be a lot higher - this may also set the tone for secondary litigation, where cost impact can escalate."

    Share Story:

Recent Stories

The Rise of Instant Payments
Instant payments are creating new business opportunities for banks by providing more touchpoints than ever. With these evolutions underway, Featurespace brought leading industry experts together to discuss how they are protecting customers from fraudsters in real time, utilizing innovative and disruptive solutions to reduce fraud. Click here to find out more.

Offloading Cyber Risk in the Cloud
As cyber attacks and data breaches are in the news on an increasingly regular basis - with regulatory penalties and customer trust on the line for financial services firms - it has never been more crucial to be compliant in the cloud.

This video, with Akamai’s EMEA director of security technology and strategy Richard Meeus, will help explain what your company can be doing to make sure it’s not embroiled in the next big fine or front-page scandal.