Capital One is in the midst of that "worst case" data breach scenario following the 2019 hack that exposed information on more than 100 million customers.
After the breach, you get sued, your brand reputation takes a hit, and you must pay tens of millions in government fines when regulators declare you failed at information security.
Is that the end? No, not for Capital One.
Regulators are now forcing the company to be monitored by a compliance team that will examine the organization's information security practices from the cloud to the corporate boardroom.
This does not surprise cyber attorney Jordan Fischer, co-founder of XPAN Law Group, who says:
"Capital One is a sobering reminder that the actual breach is only the beginning for most companies. After remediation, and after the lawsuit, there can be many years of regulatory oversight that raises the bar, and the risk, associated with maintaining an ongoing security and privacy program."
We learned about all of these new details from a recently released government assessment of the bank's data breach. It is a cautionary tale for every organization. And it contains talking points for security leaders who must defend cybersecurity investments in a difficult COVID-19 economic environment.
Capital One fined $80 million for failing at information security
SecureWorld News just finished reading newly released orders by the Office of the Comptroller of Currency, which is part of the U.S. Treasury. The OCC, as it's known in the financial sector, has the critical mission of ensuring a safe and sound U.S. banking system.
And it claims Capital One's cloud security and overall information security failed so significantly that it is now ordering the company to pay an $80,000,000 civil penalty in the case.
Let's dive into some specific failures the OCC says it found during its investigation of the Capital One data breach.
How did Capital One fail at security in the cloud?
According to the newly issued OCC order, Capital One failed at cloud security in a number of ways, specifically:
"In or around 2015, the Bank failed to establish effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment. The Bank also failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts."
As a reminder, the hacker took advantage of a cloud security misconfiguration as a key step for the successful attack.
How else did Capital One fail at information security?
As organizations move to the cloud, there are often weaknesses that need to be addressed. However, the OCC explains that Capital One failed this part of information security in a couple of different ways. First off, the auditing process was inadequate:
"The Bank's internal audit failed to identify numerous control weaknesses and gaps in the cloud operating environment. Internal audit also did not effectively report on and highlight identified weaknesses and gaps to the Audit Committee."
And when it comes to the weaknesses the audit committee did catch, the response from executive leadership was inadequate:
"For certain concerns raised by internal audit, the Board failed to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses."
The Office of the Comptroller of Currency says these things put the bank into non-compliance as it "...engaged in unsafe or unsound practices that were part of a pattern of misconduct."
Those are harsh words about one of the major financial services firms in the United States.
And now, regulators are launching the next phase in their efforts, to force the bank to improve its information security practices.
Capital One data breach fallout: what is next?
According to the OCC's order, issued August 6, 2020, regulators will monitor the establishment of an outside committee to supervise and report on Capital One and its work at reducing cyber risk. The "compliance committee" will kick things off immediately to:
- Ensure Capital One is working on meeting requirements issued by the OCC's orders
- Assess and describe corrective actions needed
During the coming months, the committee will need to submit an "Action Plan" to the OCC examiner-in-charge, including:
- Deadlines for corrective actions
- A written plan to "improve oversight of the Bank's cloud operating environment information security program"
- "Develop an effective risk assessment process, including risk assessment processes specific to technology changes"
- "Reassess the quality and content of Board reporting and improve transparency into the materiality and status of known technology and cyber risk issues"
- "Increase scrutiny, monitoring and oversight of management's actions to address significant technology and cyber risk issues, including audit findings"
- "Hold management accountable for the timely remediation of material risk issues identified by internal and external sources, including requiring management to explain why key issues and risks related to the cloud operating environment have not been addressed in a timely and effective manner"
These are simply the regulatory highlights. If you want to do an even deeper dive on the OCC findings, see the following:
While all of this is going on, Capital One is fighting to keep an independent assessment of what happened in its data breach a secret.
The bank hired PwC to create a "comprehensive, independent opinion" of its 2019 data breach, and lawyers that are suing the company want to see it. Capital One recently filed a motion to keep that report confidential.
We'll let you know if that report gets released because we're guessing it has some lessons learned worth sharing with the information security community.
Wondering how the Capital One data breach happened in the first place? Check out 8 Cybersecurity Facts Revealed About the Capital One Hacker.
Now we know how the data breach started and some of the ways Capital One failed at InfoSec. What we don't know is when or where the data breach fallout will end.
However, Jordan Fischer of XPAN Law says every organization can take something away from what is happening here:
"It is key that companies not only create cyber and privacy policies and practices, but then develop metrics to actually ensure that those practices and policies are being followed.
Accountability is key: how do you ensure that privacy and security are actually operationalized? Capital One is an example of this gap in their program: finding the holes, and then having a method to fill them."
Or else someone else may soon dictate how and when those holes get filled.