Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Capital One Fined $80M for 2019 Breach

posted by martyb on Saturday August 08 2020, @09:04AM   Printer-friendly
from the what's-in-your-wallet-may-have-been-leaked dept.
News Business Security

upstart writes in with an IRC submission:

Capital One Fined $80m for 2019 Breach:

According to a statement from the Office of the Comptroller of the Currency (OCC), these actions were taken against Capital One "based on the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner".

The breach occurred in March 2019, when a former employee of Capital One named Paige Thomson exfiltrated the data of 100 million people in the US and six million in Canada, exploiting a weakness in the configuration of perimeter security controls to gain access to sensitive files housed in its cloud storage.

Capital One blamed a "configuration vulnerability" as the customer data was exfiltrated from an AWS S3 data storage service and moved to a Github site. At the time, Capital One said the breached information "included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth and self-reported income."

In taking the financial action, the OCC said it considered the bank's customer notification and remediation efforts, and while it "encourages responsible innovation" in all banks it supervises, "sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers."

[...] "The signal is very clear: the often referenced shared responsibility cloud model means naught when it's your data," he added. "What's very surprising about this breach is, per Capital One's prior announcements, only a fraction of the regulated data was properly tokenized (credit card and SSN data), and the rest accessible under attack. Had tokenization been applied across the full regulated data set, this breach would have been a non-event."

Original Submission

This discussion has been archived. No new comments can be posted.
Capital One Fined $80M for 2019 Breach | Log In/Create an Account | Top | 2 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 2) by Rosco P. Coltrane on Saturday August 08 2020, @09:51AM

    by Rosco P. Coltrane (4757) on Saturday August 08 2020, @09:51AM (#1033397)

    "The signal is very clear: the often referenced shared responsibility cloud model means naught when it's your data,"

    The actual signal is: a big bank with a $28B yearly revenue was slapped with a microscopic $80M fine for fucking up user data management. In other words, the OCC is either powerless, corrupt, or explicitely confirmed that it's okay to continue business as usual.

  • (Score: 2) by jasassin on Sunday August 09 2020, @10:29AM

    by jasassin (3566) <jasassin@gmail.com> on Sunday August 09 2020, @10:29AM (#1033732) Homepage Journal

    Capital One.
    Who's in your wallet?

    --
    jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(1)