Office of the Comptroller of the Currency (OCC) charged Capital One with $80 million fine for the July 2019 data breach. Weak risk management and control caused it. The breach compromised personal details of 100 million U.S. users and 6 million Canadian citizens. Jaclyn Jaeger discusses the Capital One data breach in this article at Compliance Week.
Capital One Data Breach
Capital One reported the data breach on the same day it happened. The culprit was Paige Thompson that worked as a software engineer in a Seattle-based IT company. She declared on GitHub that she took advantage of a vulnerability in the firewall of the company’s Web application. So, what made OCC hit Capital One with such a massive fine? Here are the reasons:
- OCC’s consent order stated that Capital One did not have proper risk management processes in 2015. Nonetheless, the bank migrated its IT processes to the cloud. Even after migration, it did not work updating the risk protocols. So, the network, data security, and intrusion alerts were never there.
- When the bank made in-house audits, it could not discover or report cloud framework issues to the auditors.
- If anyone raised a concern during the internal audits, none of the executives or stakeholders took the responsibility of resolving the issues.
Because of all these reasons, Capital One could not locate vulnerabilities in its cloud infrastructure. So, OCC found it not complying with the Interagency Guidelines Establishing Information Security Standards. However, the committee acknowledged the bank’s promptness in notifying customers and redressal processes.
The Federal Reserve Board further added a cease-and-desist order in light of the 2019 data breach. The bank must improve its risk management structure, governance, and network security. It should also submit an action plan within three months and state how it intends to achieve these goals.
To view the original article, visit the following link: https://www.complianceweek.com/regulatory-enforcement/occ-fines-capital-one-80m-over-2019-data-breach/29294.article
- Ransomware Attack Forces University to Pay $1.14 Million - September 11, 2020
- Miami-Dade School District Hacked, Student Indicted - September 11, 2020
- Capital One Pays $80 Million Fine for 2019 Data Breach - August 14, 2020