Capital One Fined $80M for 2019 Breach

by
martyb
from SoylentNews on (#56P9W)

upstart writes in with an IRC submission:

Capital One Fined $80m for 2019 Breach:

According to a statement from the Office of the Comptroller of the Currency (OCC), these actions were taken against Capital One "based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner".

The breach occurred in March 2019, when a former employee of Capital One named Paige Thomson exfiltrated the data of 100 million people in the US and six million in Canada, exploiting a weakness in the configuration of perimeter security controls to gain access to sensitive files housed in its cloud storage.

Capital One blamed a "configuration vulnerability" as the customer data was exfiltrated from an AWS S3 data storage service and moved to a Github site. At the time, Capital One said the breached information "included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income."

In taking the financial action, the OCC said it considered the bank's customer notification and remediation efforts, and while it "encourages responsible innovation" in all banks it supervises, "sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers."

[...] "The signal is very clear: the often referenced shared responsibility cloud model means naught when it's your data," he added. "What's very surprising about this breach is, per Capital One's prior announcements, only a fraction of the regulated data was properly tokenized (credit card and SSN data), and the rest accessible under attack. Had tokenization been applied across the full regulated data set, this breach would have been a non-event."

Original Submission

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments