It was announced yesterday that Capital One has been ordered by the Office of the Comptroller of the Currency (OCC) to pay an $80 million fine after the company suffered a massive data breach in 2019.
It is estimated that the breach impacted more than 100 million Capital One customers, with names and addresses of individuals from both the US and Canada. It is believed that the cybercriminals behind the attack were a former employee of Amazon Web Services which is the cloud provider Capital One used to transfer its data.
The fine is substantial and is punishment for the bank failing to adequately protect the data of its users when migrating to the cloud.
Commenting on the news is Mark Bower, senior vice-president at data security specialist comforte AG:
“The OCC’s Capital One order mirrors how we’ve seen industry regulators rip into ineffective controls over data protection. The signal is very clear: the often referenced shared responsibility cloud model means naught when it’s your data. You are responsible and accountable and will pay the price if gaps are exploited. This isn’t the first time either. The Equifax case was crystal clear in its FTC order, mandating “Implementing protections, such as encryption, tokenization, or other at least equivalent protections, for Personal Information collected, maintained, processed, or stored by Defendant, including in transit and at rest.”. What’s very surprising about this breach is, per Capital One’s prior announcements, only a fraction of the regulated data was properly tokenized (Credit card and SSN data), and the rest accessible under attack. Had tokenization been applied across the full regulated data set, this breach would have been a non-event.”
The $80M fine is the tip of the iceberg. The true cost of remediation, impact, and the reputational loss is likely to be a lot higher. This may also set the tone for secondary litigation, where cost impact can escalate.”