Capital One is being forced to cough up an $80m (£61.4m) civil penalty over its 2019 data breach, which compromised the personal data of more than 106 million customers, but was only discovered after the hacker boasted about her exploits on the online forum for tech geeks, GitHub.
In a damning report following its investigation into the breach, US Treasury department the Office of the Comptroller of Currency, said Capital One was aware its security practices were insufficient but that the board of directors “failed to take effective actions” to hold its management to account.
The breach happened between March and April last, yet the first Capital One knew about it was July when someone tipped off the company that its customer data was up for grabs on GitHub. forIt was here that former Amazon cloud employee Paige Thompson had been bigging herself up about how easy it had been to obtain the information.
The attack exposed the personal details of 100 million people in the US and 6 million Canadians, including names, addresses and phone numbers of people who had applied for its credit card products.
The credit card giant insisted the hacker did not gain access to credit card account numbers but had to admit she did steal credit scores, credit limits, balances, payment history and contact information; some 140,000 social security numbers and 80,000 linked bank account numbers were compromised in the US, while in Canada about a million social insurance numbers belonging to Capital One credit card customers were also compromised.
According to the OCC report, Thompson, who has been charged with wire fraud and computer fraud, was able to exploit a “configuration vulnerability” to extract the information and post it to message boards. She has pleaded not guilty to the charges and her trial is scheduled for next year.
In a statement, the OCC said: “[We] took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.”
As part of the OCC ruling, Capital One must set up a compliance committee by the end of August, which will meet quarterly beginning in October and provide regular updates. The company must also create an action plan to detail what steps it is taking to improve online security.
In response, Capital One said: “The controls we put in place before last year’s incident enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker.”
The company insists it has “invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders.”
The $80m fine will be paid to the US Treasury department.
Capital One admits mass attack as cocky hacker is held
BA allots £20m for GDPR fine but may not pay a penny
Twitter admits GDPR breach after exploiting user data
Oops we did it again: Twitter admits fresh data gaffe
2019 Review of the Year: Why it’s crunch time for GDPR
Irish data regulator issues first GDPR ruling in two years
Now Germans call for GDPR shake-up to avoid ‘collapse’
Brussels urged to act on GDPR failings or risk demise