Capital One Financial Corporation is an American bank holding company specializing in credit cards, auto loans, banking, and savings accounts, headquartered in McLean, Virginia with operations primarily in the United States.
The U.S. Treasury Department has fined Capital One $80 million for careless network security practices that enabled a hack that accessed the personal information of 106 million of the bank’s credit card holders.
Why Is Capital One Fined?
Capital One Financial Corp (COF.N) will pay an $80 million penalty to a U.S. bank regulator after the bank suffered a massive data breach one year ago.
The fine, announced Thursday by the Office of the Comptroller of the Currency, punishes the bank for failing to adequately identify and manage risk as it moved significant portions of its technological operations to the cloud.
Safeguarding our customers’ information is essential to our role as a financial institution,” said a bank representative in a statement. “In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders.”
The 2019 Data Breach
In July 2019, the bank disclosed that personal information including names and addresses of about 100 million individuals in the United States and 6 million people in Canada were obtained by a hacker. The suspected hacker was a former employee of Amazon Web Services, a cloud provider where the bank had moved some of its data.
Among the largest of its kind on record, the 2019 breach compromised about 140,000 Social Security numbers and 80,000 bank account numbers. The accused hacker, former Amazon software engineer Paige Thompson, has pleaded innocent to charges related to the breach.
Thompson, a transgender woman, is set to stand trial in February. Her lawyers have sought to have her released to a halfway house where she would have better access to mental health care, but the judge in the case denied the request saying she was a flight risk and danger to others.
No evidence has emerged that Thompson sought to benefit financially from the hack.
The OCC said in its consent order that the bank failed to identify and manage risks leading up to the move to cloud storage, and lacked sufficient network security and data loss prevention controls. The regulator also said that when internal auditing did identify issues, the bank’s board failed to hold management accountable.
The 2019 breach did not expose credit card account information, but about 140,000 Social Security numbers and 80,000 linked bank account numbers were compromised.
The OCC also ordered the bank to overhaul its operations to ensure it is adequately guarding against general cybersecurity risks and risks specific to cloud operations, and submit those plans for review. The bank faces similar heightened oversight from the Federal Reserve.
The Next Step For Capital One
Capital One said that controls put in place prior to the hack allowed the company to secure customers’ data before it could be used or disseminated, and helped law enforcement arrest the hacker.
“Safeguarding our customers’ information is essential to our role as a financial institution,” a Capital One spokesperson said in a statement to CNN Business. “In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders.
“As part of the Fed’s order, Capital One’s board of directors will be required to submit a plan within 90 days describing actions it will take to improve its risk management program and internal governance and controls.It must include, for example, an internal governance framework with “clearly defined operational risk roles and responsibilities,” risk testing and validation processes, and measures to ensure proper training of operational risk personnel.
Capital One is also required to provide a timeline for improvements to its cybersecurity and data loss protection program.The bank will be required to provide quarterly updates the Fed detailing actions it has taken in response to the order.The Capital One spokesperson said in the statement it will continue to work closely with regulators to ensure it meets “the highest standards of protection for its customers.”