Capital One Cyber Staff Raised Concerns Before Hack

Before a giant data breach at

Capital One Financial

COF 0.26%

, employees raised concerns within the company about what they saw as high turnover in its cybersecurity unit and a failure to promptly install some software to help spot and defend against hacks, according to people familiar with the matter.

The cybersecurity unit—responsible for ensuring Capital One’s firewalls were properly configured and scanning the internet for evidence of a data breach—has cycled through senior leaders and staffers in recent years, according to the people. About a third of its employees left in 2018, some of the people said.

Capital One last month disclosed that a hacker accessed the personal information of about 106 million of its card customers and applicants. Before the hack was made public, employees had raised concerns about what they saw as staffing issues and other problems to the bank’s internal auditors, human-resources department and other senior executives, according to some of the people.

The quality of a cybersecurity operation is partly dependent on its ability to attract and retain top talent. The bank’s board regularly reviewed attrition rates in the cybersecurity unit, one of the people said.

A bank spokeswoman said: “Safeguarding information is essential to our mission and to our role as a financial institution. We’ve invested heavily in cybersecurity and will continue to do so.”

The bank spokeswoman said the cybersecurity unit’s total head count has risen over the past several years. “The Cyber Team is a net importer of talent within Capital One,” she said in a statement.

The hack was one of the largest in recent years, a period when a wide swath of companies including hotel chains and retailers have experienced major data breaches. Capital One’s breach was particularly surprising because it ran counter to a popular perception that the bank was ahead of the game in technology. Prosecutors have said that the hacker began attempting to access the bank’s information in March, but Capital One didn’t learn of it until it was tipped off by an outside researcher 127 days later.

Data Downers

The Capital One breach joins a list of episodes in recent years.

Selected data breaches by number of consumers/user accounts

Selected data breaches by number of consumers/user accounts

Selected data breaches by number of consumers/user accounts

The Capital One breach joins a list of episodes in recent years.

Selected data breaches by number of consumers/user accounts

For years, Capital One stood out among banks as a place where top technology talent wanted to work. Many employees liked the fact that it was still led by a founder,

Richard Fairbank.

Technology employees were given leeway to operate as they saw fit, the people said.

The bank’s “red team,” an internal group intended to find vulnerabilities in the firm’s security, once broke into the private elevator to executive floors, a move some employees involved thought would have crossed the line at other firms, according to one of the people familiar with the matter.

Mr. Fairbank and his top executives had long developed a game plan about a bank hack, and studied what they saw as weaknesses in responses from other banks and companies, The Wall Street Journal previously reported.

Sometimes the broader tech-centric culture of the firm could complicate security, the people said. Technology employees had at times been given free rein to write in many coding languages—so many that it made it harder for the cybersecurity unit to spot problems, according to people familiar with the matter.

About five years ago, the company started navigating a huge technological shift: moving its data to the cloud. While a cloud-based server could in some ways be more secure, it also required a different set of security knowledge than its old data centers did. The alleged hacker was a former employee of Amazon Web Services Inc., the cloud service that hosts much of Capital One’s tech infrastructure. In the case of Capital One, the alleged hacker found that a computer managing communications between the company’s cloud and the public internet was misconfigured—effectively it had weak security settings, the Journal previously reported.

“We will incorporate the learnings of this incident to further strengthen our cyber defense,” the bank spokeswoman said.

Cybersecurity falls under the chief information security officer. The bank in 2017 hired

Michael Johnson

for the role. Mr. Johnson, a veteran of the federal government, quickly clashed with employees who thought his style was unsuited to the private sector, according to the people.

He berated employees and prioritized building what he called his own “front office” that included administrators and employees who helped with internal public relations, the people said.

Senior cybersecurity employees unhappy under Mr. Johnson left for comparable, or better, jobs elsewhere, the people said. Some went to other divisions at Capital One. Most of Mr. Johnson’s initial direct reports have departed. Some of their replacements have left too.

Through the spokeswoman, Mr. Johnson declined to comment.

While the bank was generous with cybersecurity funding, the unit struggled to stay within its budget last year, one of the people said. This year, budget issues have continued and possible money-saving measures, including staff cuts, have been discussed, some of the people said.

The bank spokeswoman declined to comment on the budget. She said that Mr. Johnson “joined us as an experienced CIO and since that time we have grown our team of highly talented cyber leaders and experts to effectively manage our cyber defenses and preparedness.”

Mr. Johnson was chief information officer of the Energy Department from 2015 to 2016, according to his LinkedIn profile.

Routine cybersecurity measures to help protect the company sometimes fell by the wayside, some of the people said. For instance, the bank around late 2017 bought software from a company called Endgame to improve its ability to detect hacks, some of the people said. More than a year after buying the software, Capital One still hadn’t finished installing it, one of the people said. The issue was flagged to Mr. Johnson, the bank’s internal auditors and others, according to one of the people. It couldn’t be determined how they responded. Endgame declined to comment.

The bank spokeswoman said that Capital One is “constantly developing and adapting” to “an ever-changing threat landscape.”

Some cyber employees also were concerned as recently as this year that vulnerabilities in Capital One’s firewalls weren’t getting fixed fast enough, one of the people said.

The bank spokeswoman said Capital One continuously scans for “configuration vulnerabilities…and we address them where they’re found.”

Write to AnnaMaria Andriotis at and Rachel Louise Ensign at

Copyright ©2019 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!