US OCC imposed an $80 Million fine to Capital One for 2019 hack

US Office of the Comptroller of the Currency (OCC) regulator has fined the credit card provider Capital One Financial Corp with $80 million over 2019 data breach.

The US Office of the Comptroller of the Currency (OCC) has imposed an $80 million fine to the credit card provider Capital One Financial Corp over 2019 data breach. Capital One, one of the largest U.S. card issuer and financial corporation, in 2019 it suffered a data breach that exposed personal information from more than 100 million credit applications.

A hacker that goes online with the handle “erratic” breached the systems at Capital One and gained access to personal information from 106 million Capital One credit applications.

Law enforcement identified and arrested the hacker behind the attack, he was a former Seattle technology company software engineer named Paige A. Thompson (33).

Paige Thompson is a transgender woman suspected to be the hacker behind the Capital One hack and attacks on 30 other organizations, in August 2019 he has been indicted on wire fraud and computer fraud.

The Office of the Comptroller of the Currency (OCC) is an independent bureau within the United States Department of the Treasury that was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and thrift institutions and the federally licensed branches and agencies of foreign banks in the United States.

The OCC claims that Capital One failed to implement an appropriate risk management process before migrating its IT operations to a public cloud-based service.

“The OCC took these actions based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.” reads the press release published by the OCC”In taking this action, the OCC positively considered the bank’s customer notification and remediation efforts.”

The Bank also failed the implementation of an appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.

The OCC pointed out that the internal audit conducted by Capital One failed to identify numerous control weaknesses and gaps in the cloud operating environment. The audit did not report on identified weaknesses and gaps to the Audit Committee.

The conduct of the bank was not compliant with the “Interagency Guidelines Establishing Information Security Standards” that are imposed on all the US banks.

Paige also accessed names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income, along with portions of credit card customer data, including: 

• Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
• Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

The hacker accessed bank account numbers and Social Security numbers only for a limited number of customers:

• About 140,000 Social Security numbers of our credit card customers
• About 80,000 linked bank account numbers of our secured credit card customers

The OCC also ordered Capital One Finance to enhance its cybersecurity security posture and share a plan to the OCC within 90 days detailing the process to do it.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Capital One)

[adrotate banner=”5″]

[adrotate banner=”13″]