Capital One’s Story: The $80 Million Price of Not Following Best Practices

by | Aug 4, 2021

There are big fines waiting out there for organizations that do not take information security seriously. In 2019, Capital One paid an $80 million civil penalty for its role in a security breach that exposed the personal data of more than 100 million people. The fine was issued due to “the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner.”

Why This Affects IT Teams

The first misstep is that the bank failed to establish an effective assessment process. It is impossible to protect organizations completely in information security, so the focus needs to be on following best practices and executing proven tactics like security assessments. Capital One did not create technology that caused the issue, but they neglected a critical security tactic in using the technology.

Capital One knew of the skipped assessment process and failed to take prompt action; the report stated that the board of directors “failed to take effective actions to hold management accountable.”

Key Takeaway for IT Leaders

Leaders must stop at nothing to ensure proper actions are taken to protect their organization.
In Identity & Access Management (IAM), the same principle applies; the team lead or the architect must have absolute ownership of the project’s success. It takes years of experience and mastery of the technologies to be in an IAM leadership position, but the most successful leaders rely heavily on following best practices.

In the case of Capital One, skipping out on a best practice step cost them over $80 million in cash and caused an enormous hit to their reputation.

Use their mistake to prompt self-reflection in your organization. Ensure leaders understand how disciplined you and your team are at following best practices and owning that responsibility. As we progress in the 2020s, the IT Security threat landscape will only grow, and the best defenses will be found in following the best practices of the given field.


GCA Sets The Standard

From coding practices to testing with clients, the IAM best practices followed at GCA make all of the difference.

At GCA, we always use the same processes and best practices, even with the organizations that we have worked with for years. Consistency works. Our unwavering and disciplined approach to following best practices is what makes the difference between a semi-functioning IAM program and a world-class IAM program. Learn How GCA can help you protect your company by booking a consultation today.