Just over a year ago, after an Amazon employee accessed a vulnerable S3 bucket, Capital One experienced one of the biggest data breaches of 2019. The Amazon employee stole over 100 million customers’ social security numbers, bank account information, and credit card applications.
The Amazon employee was arrested shortly after the incident and charged with one count of computer fraud and abuse. Her trial is scheduled to begin next February. But at the broader organization level, the repercussions and consequences are well underway. We learned yesterday that Capital One has agreed to pay an $80 million fine and enter into a consent order with the Office of the Comptroller of the Currency (OCC), the independent bureau within the Department of the Treasury that regulates and supervises national banks.
In the consent order, the OCC stated that Capital One’s internal audit failed to identify numerous control weaknesses and gaps in their cloud operating environment and did not effectively report on and highlight identified weaknesses and gaps to the Audit Committee. The OCC order noted that Capital One “has begun addressing the identified corrective action and has been committed to providing resources to remedy the deficiencies.”
To commemorate the big breach’s one year anniversary, we recently took a deep dive into the technical problems that contributed to it, but the OCC’s recent fine and order remind us of the higher-level repercussions of the data breach. Not only does Capital One have to pay an $80 million fine, but for the foreseeable future, they will be working to correct their cloud security issues and prevent them from happening again. And they’ll have to do quite a bit of reporting to satisfy the OCC and the Federal Reserve, which issued a cease-and-desist order requiring compliance with the OCC order and submission of a series of written plans within 90 days to strengthen oversight of their risk management program, internal controls and governance, and other items. The hefty fine, combined with the enormous effort associated with establishing and maintaining (and proving) adequate cloud security and compliance, offers other companies legitimate motivation to avoid data breaches of their own.
That’s where DivvyCloud by Rapid7 can help. DivvyCloud protects cloud and container environments from misconfigurations, policy violations, threats, and IAM challenges. With automated, real-time remediation DivvyCloud customers achieve continuous security and compliance, and can fully realize the benefits of cloud and container technology. To find out more, speak with a DivvyCloud expert today.