Capital One Financial Corp will pay a $80 million fine to the Office of the Comptroller of the Currency for a 2019 data breach that exposed 106 million records of customers and credit card applicants.
The alleged hacker, Paige Thompson, was a former Amazon employee and accessed the personal information stored on Capital One’s cloud by breaking through the firewall of the company on Amazon’s cloud service. The bank said at the time of the hack that the breach had happened because of a configuration vulnerability.
The OCC found that the internal audit function of Capital One “failed to identify numerous control weaknesses and gaps in the cloud operating environment,” and failed to effectively report on identified weaknesses to the audit committee in 2015, according to the consent order.
In addition, the bank had not developed adequate risk assessment processes before migrating its IT operations to the cloud. The risk management systems for the cloud operating environment were also lacking “appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts,” according to the order.
The bank also failed to address internal control weaknesses and establish accountability regarding issues that internal audit did bring up. The OCC determined that the bank “engaged in unsound or unsafe practices that were part of a pattern of misconduct,” according to the order.
Capital One “has begun addressing the identified corrective action and has been committed to providing resources to remedy the deficiencies,” according to the order.
“In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders,” a company spokesperson said in a statement. “We appreciate our regulators’ recognition of our positive customer notification and remediation efforts, and remain committed to working closely with them to ensure that we meet the highest standards of protection for our customers.”
Stephanie Liu is assistant editor at Internal Audit 360°
Thorough analysis is very essential and effective when auditing. This could have been prevented