Capital One to pay $80M penalty over 2019 data breach

Dive Brief:

Capital One will pay an $80 million penalty for last year’s data breach involving more than 106 million accounts, regulators said Thursday.
The Office of the Comptroller of the Currency (OCC) said its consent order is based on the bank's "failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner."
In conjunction with the OCC, the Federal Reserve issued a cease and desist order against the bank. The Fed said the bank’s board of directors must submit a written plan within 90 days outlining how it intends to improve its risk management program and internal controls for protecting customer data. The Fed’s enforcement action does not include a monetary penalty.

Dive Insight:

Capital One’s data breach was one of the largest to hit a financial services company, affecting about 100 million people in the U.S. and another 6 million in Canada, the bank announced last year.

That hack occurred after a former employee of Capital One’s cloud hosting company, Amazon Web Services, gained access to the bank’s customer data by exploiting a misconfigured web application firewall.

The data, connected to credit card applications filed between 2005 and 2019, included names, postal codes, birth dates and self-reported income. The breach also exposed credit scores, credit limits, balances, payment history and fragmented transaction history from 2016 to 2018.

In its consent order, the OCC said the McLean, Virginia-based bank "failed to establish appropriate risk management" and "failed to identify numerous control weaknesses and gaps in the cloud operating environment."

The regulator said the bank’s board "failed to take effective actions to hold management accountable" and said the bank "engaged in unsafe or unsound practices that were part of a pattern of misconduct."

The OCC, however, said it "positively considered" the bank's customer notification and remediation efforts following the hack.

"Safeguarding our customers’ information is essential to our role as a financial institution," a Capital One spokesperson said. "The controls we put in place before last year’s incident enabled us to secure our data before any customer information could be used or disseminated and helped authorities quickly arrest the hacker.

"In the year since the incident, we have invested significant additional resources into further strengthening our cyber defenses, and have made substantial progress in addressing the requirements of these orders," the spokesperson added. "We appreciate our regulators’ recognition of our positive customer notification and remediation efforts, and remain committed to working closely with them to ensure that we meet the highest standards of protection for our customers."