Lessons learned from Capital One’s data breach

Mehul Lalloobhai

When an organization is the victim of a cybersecurity breach, the immediate concern is the compromised data. The damage to brand reputation, potential lawsuits, regulatory fines and stringent compliance oversight are sure to follow — carrying a hefty price tag — all of which is a sober reminder that the breach itself is only the beginning of a long road ahead. The importance of implementing and maintaining prevention measures to mitigate cybersecurity risks is as critical as ever.

A recent example is the security breach for Capital One Financial Corporation, discovered in July 2019. It led to an $80 million fine levied by the Office of the Comptroller of the Currency. In this breach, a former employee at Amazon Web Services inappropriately accessed Capital One’s AWS cloud servers through a misconfigured web application firewall and exposed the personal data of more than 106 million individuals. There are valuable lessons to be learned from this event, including measures that all banks, large or small, should have in place.

What went wrong?

Although the response to rectify the firewall vulnerability was swift, Capital One only became aware of the breach when the hacker began to openly discuss the attack in an online forum. Delayed discoveries of security breaches are a problem, but certainly not unique to Capital One. According to Verizon’s 2020 Data Breach Investigations Report, over 20 percent of data breaches in 2019 were discovered after multiple months.

Banks that fall under the authority of the OCC must comply with requirements under the Code of Federal Regulations, specifically, 12 CFR Part 30, Appendix B, Interagency Guidelines Establishing Information Security Standards. For Capital One, the OCC consent order identified noncompliance with this requirement, noting the following:

  • Capital One failed to establish effective risk assessment processes in 2015 before migrating its information technology operations to a cloud environment.
  • Internal audit did not properly assess the cloud environment and, as a result, did not effectively identify or report on weaknesses and gaps to the audit committee
  • For internal audit findings that were reported, the board did not take the appropriate action to hold management accountable

The OCC’s consent order requires Capital One to submit to the OCC’s appointed Compliance Committee a comprehensive plan detailing remediation actions to achieve compliance. Within 45 days of each quarter end, Capital One must prepare and submit corrective actions and risk management plans along with subsequent progress reports.

How can these risks be prevented?

Among other requirements, banks should practice the following elements within 12 CFR Part 30, Appendix B:

Assessment of Risk & Implementation of Internal Controls:  At least annually, the bank should perform risk assessments to identify the likelihood and impact of internal and external threats that include the unauthorized access to personal customer information.

Key internal processes and control activities should then be implemented and tested by internal auditing. For any gaps or deficient controls, such as system misconfigurations, management should take action to remediate. Controls should also be adjusted as new risks emerge over time.

Service Provider Arrangements: Service contracts should include appropriate due diligence measures to meet the objectives of regulatory guidelines. It’s also critical to understand the obligations required of both parties to ensure the responsibilities can be fulfilled. In the relationship with AWS, Capital One might have prevented the breach altogether, had they understood their obligation to properly configure the firewall.

Monitoring & Response: Systems should be monitored to detect both actual and attempted attacks. Banks should develop response programs that specify the actions to take once they detect such activity, and include reports to provide for regulatory and law enforcement agencies.

These practices not only reduce a bank’s vulnerability to a security breach in the first place, but also mitigate the longer-term consequences if such an event occurs.

Key Takeaway

Even the largest banks face challenges in a) identifying and evaluating risk; b) developing risk management activities to prevent, detect and minimize the impact of security events; and c) monitoring to ensure compliance objectives are met. Therefore, a continued focus and investment for organizations of all sizes in cyber defense and response protocols remains a top priority.


Mehul Lalloobhai, CISA, senior manager in Weaver’s IT Advisory Services practice.