CAPITAL ONE DATA BREACH
Capital One Senior Security Officer Being Moved to New Role
Michael Johnson was chief information security officer during massive data breach
By AnnaMaria AndriotisNov. 7, 2019 11:27 am ET
The bank informed employees on Thursday that Michael Johnson will become an adviser and that the bank will begin an external search for a replacement, the people said. Mr. Johnson had been chief information security officer, or CISO, since 2017, and remains at the bank.
Mike Eason, the chief information officer of Capital One’s commercial bank, was named interim CISO, the people said. Mr. Eason’s LinkedIn profile doesn’t list cybersecurity experience.
Capital One disclosed in July that a hacker accessed the personal information of about 106 million of its card customers and applicants. The bank didn’t learn about the breach until it was tipped off by an outside researcher 127 days after the hacker began attempting to access the bank’s information. It was one of the largest hacks in recent years, and it ran counter to a reputation the bank had cultivated for being technologically savvy.
Since the breach was disclosed, at least a dozen experienced cybersecurity employees have left the bank, people familiar with the matter said. Many of them were frustrated at flagging security lapses to Mr. Johnson and other executives that they believed hadn’t been fully addressed, these people said.
Mr. Johnson and Mr. Eason couldn’t immediately be reached for comment.
The Wall Street Journal reported in August that employees had raised concerns within the company about its failure to promptly install certain software to help spot and defend against hacks as well as what they saw as high turnover in the cybersecurity unit. The concerns had been raised with Mr. Johnson, the bank’s internal auditors, the human-resources department and other senior executives.
Mr. Johnson, a veteran of the federal government, clashed with employees soon after taking over as CISO at the bank, the Journal previously reported. He berated employees and prioritized building what he called his own “front office” that included administrators and employees who helped with internal public relations, the Journal reported. Some employees questioned his knowledge of security issues and grew concerned at the amount of time it took to address them, people familiar with the matter said.
Write to AnnaMaria Andriotis at firstname.lastname@example.org