Capital One removes CISO from role following breach

Dive Brief:

  • Capital One’s CISO Michael Johnson is moving from his role following the disclosure of its July data breach, a Capital One spokesperson told CIO Dive in an email. The bank appointed Mike Eason as an interim CISO and Head of Cyber​. Eason previously served as the CIO for Capital One’s Commercial Bank.​
  • Johnson will remain at Capital One as an advisor, focussed on the bank’s ongoing response to the data breach. The bank is conducting an external search for a new CISO. 
  • The WSJ reported in August that Capital One cybersecurity employees took issue with Johnson; many “initial direct reports” leaving for other positions. Employees said his history with the federal government didn’t work in favor in the private sector. Capital One’s cybersecurity organization frequently overstepped its budget, according to the report.  

Dive Insight:

CISOs will often fall on their sword in light of a cyber event. Other times, it’s not their choice. 

Prior to joining Capital One and the private sector, Johnson served in IT and security roles in the Department of Homeland Security, the White House and the Department of Energy, according to his LinkedIn

While it’s seldom one person’s responsibility to cover all facets of security, the onus of a breach still falls on the shoulders of the CISO.  

Capital One’s breach impacted 106 million customers, exposing 140,000 Social Security numbers and 80,000 linked bank account numbers to credit card customers. 

The hacker — Paige “erratic” Thompson — exploited the “Server-Side Request Forgery” vulnerability to gain access to the AWS customer’s data. While AWS maintains its role in the data breach is nonexistent, Congress is calling for answers. 

“A firewall misconfiguration permitted commands to reach and be executed by that server,” enabling access to data folders or buckets on AWS, according to the Department of Justice

The security gaps the hacker exploited fell on Capital One, not AWS. Law enforcement suspects Paige Thompson to also have compromised 30 other “victim companies.”

Correction: An earlier version of this story inaccurately detailed Capital One’s cybersecurity budget and staff.