This article was originally published by HousingWire, an HW Media publication dedicated to serving mortgage and real estate professionals.
Migrating to the cloud is an increasingly common practice for financial institutions. But with that migration comes increased risk. If not done properly, the process could leave sensitive information vulnerable and potentially lead to breaches. As such, there is more scrutiny than ever on cloud migration practices.
On Thursday, the Office of the Comptroller of the Currency said that it has assessed an $80 million civil money penalty against Capital One N.A., and Capital One Bank (USA) N.A. related to the migration of “significant” IT operations to the cloud.
Specifically, the OCC said the civil money penalty was based on the “bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment.” It also was based on the bank’s failure to correct the deficiencies in a timely manner, according to the OCC.
The OCC in particular took issue with the bank’s customer notification and remediation efforts.
“While the OCC encourages responsible innovation in all banks it supervises, sound risk management and internal controls are critical to ensuring bank operations remain safe and sound and adequately protect their customers,” it said in a written statement.
The incident that the OCC is referring to goes back to last September when the bank determined that an outside individual gained unauthorized access and obtained certain types of personal information about Capital One credit card customers and individuals who had applied for its credit card products.
Capital One estimated that the incident impacted about 100 million people in the United States and approximately 6 million in Canada.
Beyond credit card application data, the hacker obtained portions of credit card customer data, including: customer status data, social security numbers, and linked bank account numbers.
A look at the OCC’s Cease and Desist Order reveals that the agency’s comptroller found that Capital One failed to appropriately design and implement certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.
It also alleged that the bank’s internal audit failed to identify “numerous control weaknesses and gaps in the cloud operating environment.” Further, the OCC claims that the bank’s board did not hold management appropriately accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses.
We reached out to Capital One for comment and the bank provided the following statement:
“Safeguarding our customers’ information is essential to our role as a financial institution. The controls we put in place before last year’s incident enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker. In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders. We appreciate our regulators’ recognition of our positive customer notification and remediation efforts, and remain committed to working closely with them to ensure that we meet the highest standards of protection for our customers.”
Capital One will pay the $80 million penalty to the U.S. Treasury as part of an agreement with the OCC.
The bank is also said to have entered into consent orders with the Federal Reserve Board of Governors and the OCC resulting from regulatory reviews of the incident and relating to ongoing enhancements of its cybersecurity and operational risk management processes.