Capital One: A Failure in Risk Management

Steven Minsky | Oct. 31, 2019

On the heels of Equifax’s $557 million settlement with the Federal Trade Commission, Capital One announced a massive breach that affected 106 million customers. The banking giant announced on July 19th that a hacker had exposed millions of personal records that were housed on public cloud server, AWS.

 

I was interviewed by the Financial Times to comment on this failure in risk management. Unsurprisingly, Capital One’s use of a cloud-based service was brought into question. Is moving to the cloud good or bad? Could this have been avoided if the cloud had not been used? My answer is that it doesn’t matter. Whether Capital One chose to use a cloud-based service or not is not the cause of the breach. In fact, the breach has nothing to do with technology. While some claim the cause of this breach was an improperly configured firewall, the true cause always comes down to people, processes, and procedures. 

Risks have been shown to be known by the front line employees of an organization at least three months in advance of mishap or scandal, and that is why they are failures in risk management. This is enough time for organizations with ERM systems to uncover these known risks and make meaningful remediations. I have identified this consistent pattern and proven its veracity hundreds of times over the past 15 years of studying risk management failures to know that it’s true. Let’s take Equifax as an example. The security breach that impacted more than 140 million consumers was announced in July 2017. However, the system vulnerabilities that allowed the breach had been found as early as December 2016. On March 15, 2017, four months before the breach was discovered, Homeland Security notified Equifax of the impending threat of a serious technology vulnerability, which had a known fix to be implemented. Equifax directed 400 employees to patch their system with the mandate that these vulnerabilities be patched within 48 hours, yet the breach happened anyway – from May to July 2017. 

How is this possible? Ineffective risk management will land you here every time. It goes back to people, processes, and procedures. Had the proper enterprise risk management system been in place and effectively managed, this scandal, like all corporate scandals, would have been avoided. You can outsource a process, but you can never outsource the associated risks. The root-cause of corporate scandals is always the same: a failure to ensure that corporate policies are effective not only internally but all the way to the vendors and partners you do business with.

In the case of Capital One, the reputational damage has been done. In today’s See-Through Economy, companies must bridge the organizational silos that exist that allow these breaches to happen in the first place. An ERM system can not only identify gaps in security and ensure appropriate activities are completed, but can maintain and prove compliance, and properly escalate known risks long before they become a data breach or privacy violation. 

I will be covering this unfolding story and provide the lessons learned.