1 11 Table of Contents 13 28

Pub. 15 2020-2021 Issue 4

WWW.NEBANKERS.ORG 12 Lessons from the Capital One Breach for All Banks Background Capital One suffered a breach when credit card applications harvested from their server were posted on GitHub. Due to a misconfigured web-application, the information was accessible to individuals who had intimate knowledge of the flaw and the ability to exploit the misconfiguration. The flaw, however, was so esoteric that it could only have been known to or exploited by someone with very specialized knowledge or extensive experi- ence in the configuration of the server. As it turns out, the breach was perpetrated by a former Amazon Web Services (A.W.S.) employee, identified as Paige Thompson, who, in the course of her job, recognized the flaw in the configuration of the webserver software. Thompson allegedly exploited this flaw and downloaded and posted approximately 30 GB of data from the Capital One site on GitHub. The information is estimated to have affected over 100MM individual credit card applications, which contained approximately 140,000 Social Security numbers. The F.B.I. arrested and charged Thompson with the theft of the information. O.C.C. Fines The Office of the Comptroller of the Currency (O.C.C.) opened an investigation into the incident shortly after the arrest of Thompson when news of the breach leaked to the press. The investigation effectively ended when the O.C.C. announced a consent order in which Capital One agreed to the $80 MM USD fine for the breach. The O.C.C. detailed its findings in a Cease and Desist Order (Order). Specifically, the O.C.C. found that the bank failed to establish an effective risk assessment process prior to using the A.W.S. cloud environment, the bank’s internal audit failed to identify numerous control weaknesses, and the weak- nesses that were identified were either not reported to the Audit Committee of the Capital One Board of Directors, or they were reported and the Capital One Board of Directors failed to take effective actions. For this conduct the O.C.C. found that the Bank was in violation of 12 C.F.R. Part 30, Appendix B, “Interagency Guidelines Establishing Information Security Standards.” The breach, in this case, was a configuration error which could have only been recognized and resolved through extensive experience or knowledge. So how did the O.C.C. find liability for an exploit that is so difficult to find and repair? The O.C.C. determined that the Board never instituted a proper assessment of the controls and safeguards for the data. Capital One never conducted a cyber-risk assessment of the cloud environment which housed the data, and if they had, they might have discov- ered and remedied the flawwhich Thompson was able to exploit. COUNSELOR’S CORNER Bob Kardell, Attorney, Baird Holm LLP and Halle Hayhurst, Law Student and Summer Associate, Baird Holm LLP

RkJQdWJsaXNoZXIy ODQxMjUw