OCC frees Capital One from consent order tied to 2019 breach – Banking Dive

Dive Brief:

With the termination of the consent order, Capital One is no longer required to submit quarterly updates detailing its risk management and auditing practices to the OCC, which it was required to do following the discovery of the hack.

"The OCC believes that the safety and soundness of the bank and its compliance with laws and regulations does not require the continued existence of the [consent order]," the OCC wrote in its termination order, dated Aug. 31.

The consent order was handed down due to the failure to establish effective risk assessment processes before Capital One migrated significant operations to the public cloud, and the banks failure to correct the deficiencies in a timely manner. The OCC did, however,positively consider Capital Ones customer notification and remediation efforts following the breach.

Its termination indicates the bank has satisfied the OCCs risk management requirements and made good on Capital One CEO Richard Fairbanks 2019 apology.

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened, he said. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

Capital One had long positioned itself away from other banks, embracing a public cloud-first strategy, rather than using private clouds and internal firewalls.Fairbank, prior to the hacks exposure, had called the bankone of the most cloud-forward companies in the world.

The incident didnt pull Capital One off its cloud course, with the bank closing its final data center as planned in 2020.

A bank spokesperson that year said Capital One, since the breach, had invested significant additional resources into further strengthening our cyber defenses, and ...made substantial progress in addressing the requirements of these orders.

Capital One was also hit with a cease-and-desist orderfrom the Federal Reserve in conjunction with the OCCs penalty,requiring the banks board of directors to submit a written plan outlining how it would improve its risk management program and internal controls for protecting customer data.

The bank agreed in December to pay $190 million to settle a class-action lawsuit related to the breach but, along with Amazon Web Services (AWS),denied all liability in the incident.

The breach was one of the biggest to hit the financial services sector, affecting 100 million in the U.S.and 6 million in Canada. Thompson accessed data including bank account numbers and credit card balances, as well as identifying information including names and birth dates. A previous employee of Capital Ones cloud hosting company AWS, shed developed a tool to search for misconfigured AWS accounts and used it to download data from more than 30 entities including Capital One.

Thompson also inserted cryptocurrency mining software on new servers, and directed the income to her personal digital wallet.

She reportedly bragged about the hack in texts and on online forums.

Ms. Thompson used her hacking skills to steal the personal information of more than 100 million people, and hijacked computer servers to mine cryptocurrency, U.S. Attorney Nick Brown said during Thompsons seven-day jury trial.Far from being an ethical hacker trying to help companies with their computer security, she exploited mistakes to steal valuable data and sought to enrich herself.

She wanted data, she wanted money, and she wanted to brag, Assistant U.S. Attorney Andrew Friedman said in closing arguments.

Capital One wasnt the only financial services company subject to a data breach in 2019. That May, First American Financial Corp. exposed 885 million financial records linked to real estate transactions due to a web design error, and member data for 4.2 million customers at Desjardins, Canadas largest credit union, was accessed by an unauthorized employee.

Capital One did not return a request for comment by press time.

Read the rest here:
OCC frees Capital One from consent order tied to 2019 breach - Banking Dive

Related Posts

Comments are closed.