2019 data leak compromised personal data of over 100 million customers
Office of the Comptroller of the Currency (OCC) has issued a fine of $80 million fine to be paid by one of the top US banks Capital One for a data breach that exposed the personal information of 106 million customers. The punishment comes almost a year after a hacker, who managed to hack into the bank's Amazon Web Services server, was caught accessing internal databases and sealing information for personal gain.
According to official documents released by OCC, an independent bureau that regulates all banks in the US, the bank failed to effectively protect customer safety and privacy by allowing the cybersecurity incident to happen. Nonetheless, before deciding about the fine size, the regulator took into account efforts that were put in when informing customers and trying to remediate the situation:
The OCC took these actions based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner. In taking this action, the OCC positively considered the bank's customer notification and remediation efforts.
The data theft conducted by Amazon Web Services employee
High-profile data breaches most commonly occur due to companies' inability to adequately secure databases, AWS buckets,, or access to servers. In Capital One's case, while the intrusion was not authorized, it was performed Amazon Web Services (AWS) software engineer Paige A. Thompson, who also worked for Capital One as a contractor between 2015 and 2016.
She managed to access the AWS server belonging to Capital One by abusing misconfigured settings, which granted her access to millions of people's data – it included names, home addresses, insurance numbers, credit scores, credit card balances, and their limits, and more. Fortunately, no Social Security Numbers, credit card numbers, or login information was accessed during the breach.
The hacker would not have been caught if she would not have exposed her malicious deeds via the GitHub platform – her post was reported by an anonymous visitor on July 17, 2019, which prompted an immediate investigation. Thompson was arrested and charged with computer fraud when hacking into 30 organizations and is still awaiting trial.
Since the vulnerability and misconfiguration were identified within Capital One's servers, the bank was accused of negligence and failure to protect user data.
Noncompliance with IT Security Standards
Besides assigning a massive $80 million fine, OCC stated that Capital One must take adequate steps in order to improve the internal risk management and internal cybersecurity controls to protect the personal information of its customers adequately.
According to the order, Capital One has to submit a plan within 90 days – it should include information about the implementation of the improved risk management system, as well as internal security controls. The plan must clearly define who is responsible for cybersecurity-related roles and that adequate training is provided.
While Capital One has not published any statements about the court's decision of an $80 million fine, it did comment that the security controls put in place before the hack helped to catch Thompson:
Safeguarding our customers' information is essential to our role as a financial institution. In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders.