Skip to main content
close search
site logo
Dive Brief

Capital One to pay $80M penalty over 2019 data breach

Published Aug. 6, 2020
Anna Hrushka's headshot
Senior Reporter
CC: Tdorante10

Dive Brief:

  • Capital One will pay an $80 million penalty for last year’s data breach involving more than 106 million accounts, regulators said Thursday.

  • The Office of the Comptroller of the Currency (OCC) said its consent order is based on the bank's "failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner."

  • In conjunction with the OCC, the Federal Reserve issued a cease and desist order against the bank. The Fed said the bank’s board of directors must submit a written plan within 90 days outlining how it intends to improve its risk management program and internal controls for protecting customer data. The Fed’s enforcement action does not include a monetary penalty.

Dive Insight:

Capital One’s data breach was one of the largest to hit a financial services company, affecting about 100 million people in the U.S. and another 6 million in Canada, the bank announced last year.

That hack occurred after a former employee of Capital One’s cloud hosting company, Amazon Web Services, gained access to the bank’s customer data by exploiting a misconfigured web application firewall.

The data, connected to credit card applications filed between 2005 and 2019, included names, postal codes, birth dates and self-reported income. The breach also exposed credit scores, credit limits, balances, payment history and fragmented transaction history from 2016 to 2018. 

In its consent order, the OCC said the McLean, Virginia-based bank "failed to establish appropriate risk management" and "failed to identify numerous control weaknesses and gaps in the cloud operating environment."

The regulator said the bank’s board "failed to take effective actions to hold management accountable" and said the bank "engaged in unsafe or unsound practices that were part of a pattern of misconduct."

The OCC, however, said it "positively considered" the bank's customer notification and remediation efforts following the hack.

"Safeguarding our customers’ information is essential to our role as a financial institution," a Capital One spokesperson said. "The controls we put in place before last year’s incident enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker.

"In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders," the spokesperson added. "We appreciate our regulators’ recognition of our positive customer notification and remediation efforts, and remain committed to working closely with them to ensure that we meet the highest standards of protection for our customers."

Editors' picks

  • The Federal Reserve building at sunset.
    Image attribution tooltip
    Douglas Rissing via Getty Images
    Image attribution tooltip

    9 crucial reactions to the capital requirements preview

    BofA and JPMorgan execs talk death, despair and a lack of specifics, while lawmakers and regulators appear to fall along party lines in the snowballing fight over the Basel endgame.

    By Dan Ennis • Sept. 11, 2024
  • The Goldman Sachs company logo is displayed on a screen at the New York Stock Exchange during afternoon trading on August 02, 2024 in New York City.
    Image attribution tooltip
    Michael M. Santiago via Getty Images
    Image attribution tooltip

    Goldman, Apple to pay CFPB $89.8M over Apple Card issues

    The bank and tech firm failed to address disputed transactions from their joint Apple Card program, the bureau alleged, and misled cardholders about interest-bearing products.

    By Gabrielle Saulsbery • Oct. 23, 2024

Company Announcements

View all | Post a press release
Unitus Community Credit Union Deploys JUDI.AI to Scale Small Business Lending
From JUDI.AI
October 31, 2024
Cross Border Payment Solutions Launches to Help Business Take Control of International Finance
From Cross Border Payment Solutions
November 18, 2024
Agent IQ and Narmi Announce Strategic Partnership to Improve Digital Banking Experiences
From Narmi
October 31, 2024
Editors' picks
  • The Federal Reserve building at sunset.
    Image attribution tooltip
    Douglas Rissing via Getty Images
    Image attribution tooltip

    9 crucial reactions to the capital requirements preview

    BofA and JPMorgan execs talk death, despair and a lack of specifics, while lawmakers and regulators appear to fall along party lines in the snowballing fight over the Basel endgame.

    By Dan Ennis • Sept. 11, 2024
  • The Goldman Sachs company logo is displayed on a screen at the New York Stock Exchange during afternoon trading on August 02, 2024 in New York City.
    Image attribution tooltip
    Michael M. Santiago via Getty Images
    Image attribution tooltip

    Goldman, Apple to pay CFPB $89.8M over Apple Card issues

    The bank and tech firm failed to address disputed transactions from their joint Apple Card program, the bureau alleged, and misled cardholders about interest-bearing products.

    By Gabrielle Saulsbery • Oct. 23, 2024
Latest in Retail
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell