Regulatory implications of the 2019 Capital One hack and recent conviction of a former AWS engineer | The Volkov Legal Group

Paige Thompson, a former Amazon Web Services employee, was recently convicted of seven counts of fraud in a US District Court for stealing the personal data of more than 100 million customers from unsecured accounts. stored on Amazon’s web service in the cloud. The data breach cost US bank Capital One more than $270 million in compensation and regulatory fines for the breach. Thompson orchestrated the theft of personal data from an unsecured AWS cloud storage bucket.

Thompson was arrested in July 2019 after Capital One learned of the violation. Thompson stole data including social security numbers and bank account data. Thompson used a tool she built to scan AWS accounts for misconfigured accounts, then hacked and downloaded the data. The FBI traced Thompson to a Slack channel in which she claimed to have the stolen data. She also mentioned that she intended to check herself into a mental institution. Thompson is expected to be sentenced in September.

Capital One was fined $80 million by the Office of the Comptroller of the Currency and paid $190 million to settle a class action lawsuit brought by customers who were victims of data theft.

In the aftermath of the hack, AWS and Capital One pointed the finger at each other.

AWS claimed that Thompson gained access through “misconfiguration of the web application, not the underlying cloud-based infrastructure.” The incident reminded all financial institution customers of CSPs that they need their own set of cloud security measures and cannot rely solely on the CSP for such security. In the case of Capital One, Thompson was able to gain unauthorized access to Capital One data through a misconfigured web application firewall and Capital One’s failure to adhere to shared responsibility protocols when working with a CSP.

Capital One’s security response occurred quickly and indicated the adoption of a rapid escalation process. Capital One initially discovered the hack from a tip sent to Capital One’s vulnerability disclosure email inbox. Capital One contacted the FBI early in response to detecting the hack. Within 12 days, the FBI arrested Thompson.

The Capital One – AWS breach underscores the dangers of financial institution hackers that rely on cloud computing providers (“CSPs”).

In a recent article, Carlo Massimo of Information weeknoted that “[t]he US, UK and EU are all evaluating regulations that would consider cloud enterprises as “critical infrastructure” and require them to meet resiliency standards. Carlo Massimo’s article hits the nail on the head.

In a recent study, the Cloud Security Alliance found that 91% of financial services organizations use cloud services or plan to use them within six to nine months, a number that is double what was reported ago. four years. Yet regulators seem to be moving slowly to respond to this rapidly transforming and changing risk landscape.

Banking regulators have failed to respond to this significant trend in cloud services and data storage. As financial institutions are subject to elaborate risk assessment and security requirements, banking regulators need to respond and define appropriate security enhancements for financial institutions, including breach detection, security protocols and escalation procedures so that time is not wasted once an incident occurs.

In his article, Carlo Massimo noted that in response to Capital One’s breach, “Representatives Katie Porter (CA-D) and Nydia M. Velázquez (NY-D) wrote to the Financial Stability Oversight Board at Treasury, requiring that cloud storage in the financial sector be considered a Systematically Important Financial Markets Utilities (SIFMU), as defined by the Dodd-Frank Act. This designation, Carlo Massimo noted, “would allow the Reserve federal government” to prescribe risk management standards” and to “conduct reviews” of such service providers.

In the absence of regulatory intervention in this area, financial institutions need to re-examine their cyber defenses and reassess how security and operations teams coordinate their activities to ensure data protection. While CSPs have important obligations in this area to define shared responsibilities, financial institutions must identify and respond to potential risks in order to avoid the devastating consequences of a serious data breach resulting from their cloud-based operations. Financial institutions should implement a preventive security strategy involving encryption, vulnerability assessments, and consistent configurations. It is important to take advantage of third-party security and monitoring capabilities with CSP-based security protocols.

The financial industry will need to demonstrate to regulators that it understands and has implemented effective risk management. If financial institutions do not act, rest assured that regulators will step in with a detailed and comprehensive regulatory regime governing the CSP environment.

Comments are closed.