Capital One Financial Corp. has been penalized $80 million by the U.S. Treasury Department for a data breach of its accounts that occurred a year ago.
It has been accused of carelessness in its security network that enabled a hack to access personal information of 106 million credit cardholders of the bank.
Capital One migrated its operations to a cloud-based service in 2015 and it seems that enough security and risk management protocols were not put in place to prevent such a breach, claims the department.
The Comptroller of Treasury said the bank’s own internal audit failed to identify “numerous weaknesses” in its management of the cloud environment and “engaged in unsafe or unsound practices that were part of a pattern of misconduct.”
Capital One in its consent order to the government body has committed to fixing the problem. Capital One’s breach is one of the largest of its kind. The 2019 breach compromised about 140,000 Social Security numbers and 80,000 bank account numbers, says a news report.
A hacker obtained personal information, including names and addresses of about 100 million individuals in the United States and 6 million people in Canada. The suspected hacker was a former employee of Amazon Web Services, a cloud provider where the bank had moved some of its data.
“Safeguarding our customers’ information is essential to our role as a financial institution,” said a bank representative in a statement. “In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders.”
The perpetrator of the crime has been identified as one Paige Thompson, working with Amazon. S/he has denied the charges.
Thompson is set to stand trial in February. She is transgender and her lawyers have requested that she be sequestered at a halfway house, keeping her mental health in mind. But the judge in the case denied the request saying she was a flight risk and danger to others.
No evidence has emerged that Thompson sought to benefit financially from the hack.
The Office of the Comptroller of Currency has also ordered the bank to overhaul its operations to ensure it is adequately guarding against general cybersecurity risks and risks specific to cloud operations. The OCC also wants the bank to submit those plans for review. The bank faces similar scrutiny from the Federal Reserve.
The data breach should alert other banks that are migrating data to cloud-based services.
Banks are now being lured by such outsourcing services, which offer a cost-effective way for storing huge databases that require a lot of upkeep in-house.
The problem is that safety is compromised. Banks across the globe have embraced cloud solutions offered by the likes of Amazon, Google, and Microsoft.
Some argue that the new system is more secure as the cloud servicing companies are huge software companies with sophisticated high-end security measures.
But as is evident by the current security breaches that happened at Twitter, Amazon, and the Waymo patent documents, sometimes in-house personnel compromise and give access to secrets.