Skip to main content
close search
site logo
Dive Brief

Capital One removes CISO from role following breach

Published Nov. 7, 2019
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Nathan Dumlao

Dive Brief:

  • Capital One's CISO Michael Johnson is moving from his role following the disclosure of its July data breach, a Capital One spokesperson told CIO Dive in an email. The bank appointed Mike Eason as an interim CISO and Head of Cyber​. Eason previously served as the CIO for Capital One's Commercial Bank.​
  • Johnson will remain at Capital One as an advisor, focussed on the bank's ongoing response to the data breach. The bank is conducting an external search for a new CISO. 
  • The WSJ reported in August that Capital One cybersecurity employees took issue with Johnson; many "initial direct reports" leaving for other positions. Employees said his history with the federal government didn't work in favor in the private sector. Capital One's cybersecurity organization frequently overstepped its budget, according to the report.  

Dive Insight:

CISOs will often fall on their sword in light of a cyber event. Other times, it's not their choice. 

Prior to joining Capital One and the private sector, Johnson served in IT and security roles in the Department of Homeland Security, the White House and the Department of Energy, according to his LinkedIn

While it's seldom one person's responsibility to cover all facets of security, the onus of a breach still falls on the shoulders of the CISO.  

Capital One's breach impacted 106 million customers, exposing 140,000 Social Security numbers and 80,000 linked bank account numbers to credit card customers. 

The hacker — Paige "erratic" Thompson — exploited the "Server-Side Request Forgery" vulnerability to gain access to the AWS customer's data. While AWS maintains its role in the data breach is nonexistent, Congress is calling for answers. 

"A firewall misconfiguration permitted commands to reach and be executed by that server," enabling access to data folders or buckets on AWS, according to the Department of Justice

The security gaps the hacker exploited fell on Capital One, not AWS. Law enforcement suspects Paige Thompson to also have compromised 30 other "victim companies."

Correction: An earlier version of this story inaccurately detailed Capital One's cybersecurity budget and staff. 

 

Recommended Reading

Filed Under: Security, Leadership

Editors' picks

Company Announcements

View all | Post a press release
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
Newgen and Fadata Join Forces to Optimize Insurance Content Management
From Newgen Software
November 13, 2024
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
Graphiant Predicts Transformative Changes in Enterprise Connectivity and Data Assurance for 20…
From Graphiant
November 20, 2024
Editors' picks
Latest in Security
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.