OCC Fines Capital One and the Implications for Banks and Boards
On August 5, 2020, the Office of the Comptroller of the Currency (OCC) issued a record $80 MM USD civil penalty against Capital One for the cyber breach it suffered in 2019. Capital One suffered a breach when the information harvested from their server was posted on GitHub. Due to a misconfigured web-application firewall the information was accessible to individuals who had knowledge of the flaw and the ability to exploit the misconfiguration. The flaw, however, was so esoteric that it could only have been known to or exploited by someone with a very specialized knowledge or extensive experience in the configuration of the server.
The breach was perpetrated by a former Amazon Web Services (AWS) employee, who in the course of her job duties identified the flaw in the configuration of the software. This employee was identified as Paige Thompson. Thompson allegedly then exploited this flaw and downloaded and posted on GitHub approximately 30GB of data from the Capital One site. The information is estimated to have affected over 100 MM individual credit card applications, which contained approximately 140,000 social security numbers. The FBI arrested and charged Thompson with the theft of the information.
The OCC opened an investigation into the incident shortly after the arrest of Thompson and news of the breach leaked to the press. The investigation effectively ended when the OCC announced a consent order in which the Capital One agreed to the $80 MM USD fine for the breach. The OCC detailed its findings in a Cease and Desist Order. Specifically, the OCC found that the bank failed to establish an effective risk assessment process prior to using the AWS cloud environment, the bank’s internal audit failed to identify numerous control weaknesses, and weaknesses that were identified were either not reported to the Audit Committee or they were reported and the Board failed to take effective actions. For this conduct the OCC found that the Bank was in violation of 12 C.F.R. Part 30, Appendix B, “Interagency Guidelines Establishing Information Security Standards.”
The breach in this case was a configuration error which could have only been recognized and resolved through extensive experience or knowledge. So how does the OCC find liability for an exploit that is so difficult to find and repair? The OCC determined that a proper assessment of the controls and safeguards for the data was not conducted. Capital One never conducted a cyber-risk assessment of the cloud environment which housed the data, and if they had, they may have discovered and remedied the flaw, which Thompson was instead able to exploit.
The Cease and Desist Order also imposes an action plan on the Capital One Board to develop and supervise a risk assessment process and to reassess the quality and content of reports to the Board. The order requires a plan to improve the risk assessment process for the bank, develop a cloud operations risk assessment, and enhance the audit and audit reporting processes to the Board. Finally the order imposes a page of prescriptive requirements on the Board that range from authorizing corrective actions, ensuring the Bank has sufficient processes in place, and to ensuring the Board will hold the Bank’s management accountable for the executing the plan for timely and appropriate reporting.
The case, the Consent Order, and the findings by the OCC in the Cease and Desist Order raise several issues that all banks and their boards should be made aware. The most important take-away is that any and all cyber security issues involving a substantial number of records should be immediately brought to the board’s attention. There are real consequences for a company’s failure to take action to avoid cyber security breaches and boards cannot avoid consequences of cyber security incidents by failing to address them.