Capital One must pay a trivial $80m fine for its shoddy public cloud security – yes, the US banking giant that was hacked last year by a miscreant who stole personal information on 106 million credit-card applicants in America and Canada.
That swiped data included 140,000 US social security numbers and 80,000 bank account numbers, we're told, as well as one million Canadian social insurance numbers, plus names, addresses, phone numbers, dates of birth, and reported incomes.
Now the Office of the Comptroller of the Currency (OCC), an independent bureau of the US Department of Treasury, has announced it will fine Capital One (annual profit: $5.7bn) for bungling its circa-2015 migration of on-premises IT to the cloud, a move that put customer data at risk prior to the 2019 mega-hack. Uncle Sam will pocket the money.
“The OCC took these actions based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner,” the watchdog said in a statement on Thursday.
“In taking this action, the OCC positively considered the bank's customer notification and remediation efforts. While the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers.”
The OCC order [PDF] stated the Virginia-based bank had glossed over numerous weaknesses in its cloud-based data storage in an internal audit in 2015. What security flaws it did find, however, were not adequately reported to the financial goliath's audit committee.
Watch as 10 cops with guns and military camo storm suspected Capital One hacker's house…READ MORE
Capital One also failed to patch vulnerabilities, and as a result, it violated official security guidelines that all US banks must comply with.
The slipshod attitude to security led to one of the worst computer security breaches involving financial information in recent years. Seattle software engineer Paige Thompson was accused of breaking into Capital One’s cloud buckets and stealing tons of personal data belonging to customer.
Thomson was cuffed in an armed raid in July 2019, and charged with breaking the US Computer Fraud and Abuse Act.
The OCC also applied for a cease-and-desist order against Capital one, forbidding it from "engaging in unsafe or unsound practices, including those relating to information security," which we're sure will do the trick.
Capital One, meanwhile, claimed it has shored up its defenses since the intrusion, and argued that whatever systems it had in place prior to the hack, at least they were able to help contain the mess to some degree.
“Safeguarding our customers’ information is essential to our role as a financial institution,” a spokesperson for Capital One told The Register. “The controls we put in place before last year’s incident enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker.
“In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders. We appreciate our regulators’ recognition of our positive customer notification and remediation efforts, and remain committed to working closely with them to ensure that we meet the highest standards of protection for our customers.” ®