Skip to main content
close search
site logo

Fed ends Capital One breach-related enforcement action

The OCC 10 months earlier freed the bank from a separate consent order tied to a former Amazon Web Services employee’s hack that exposed the data of 106 million customers.

Published July 12, 2023
Dan Ennis's headshot
Senior Editor
The Capital One logo is displayed on the side of its headquarters in McLean, Va.
The Capital One logo is seen on its headquarters on January 20, 2023 in McLean, Virginia. Win McNamee via Getty Images

The Federal Reserve terminated its 2020 enforcement action against Capital One, related to a breach a year earlier that exposed the data of 106 million customers, the central bank announced Tuesday.

"We're pleased to fully resolve this regulatory matter," a spokesperson for Capital One told American Banker. "We are committed to continuing to enhance our high standards of protection for our customers and staying ahead of the evolving threats faced by public and private institutions.”

The move by the Fed comes 10 months after the Office of the Comptroller of the Currency freed the bank from a separate, breach-related consent order, saying Capital One had reached a level of “safety and soundness” no longer requiring extra oversight.

The Fed declined to comment to American Banker on the termination. The Capital One spokesperson, however, said all outstanding orders between the bank and the two regulators have been resolved.

Capital One paid an $80 million penalty to the OCC for “failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment,” and for failing to fix the deficiencies quickly, the regulator said.

The Fed’s order required Capital One’s board of directors to submit a written plan outlining how it intended to improve its risk management and internal controls for protecting customer data. It did not include a monetary penalty.

Capital One in December 2021, agreed to pay $190 million to settle a class-action lawsuit related to the breach, which compromised roughly 140,000 Social Security numbers and 80,000 account numbers linked to credit card customers, according to bank estimates. The data, connected to credit card applications filed between 2005 and 2019, included names, postal codes, birth dates and self-reported income. The breach also exposed credit scores, credit limits, balances, payment history and fragmented transaction history from 2016 to 2018, the bank said. 

Paige Thompson, a former Amazon Web Services employee, was convicted in June 2022 of wire fraud and five counts of unauthorized access to a protected computer and damaging a protected computer after a misconfigured firewall allowed her to access the data.

The incident spurred questions as to whether a bank or its cloud provider, AWS, bears responsibility in data breaches. In response to a 2019 inquiry by Sen. Ron Wyden, D-OR, an AWS executive said the onus of the security gaps falls on Capital One.

However, AWS’s role in the breach pushed at least two lawmakers to call for the three leading cloud providers — AWS, Microsoft Azure and Google Cloud — to be considered systemically important financial market utilities.

Filed Under: Regulations & Policy

Editors' picks

  • The Goldman Sachs company logo is displayed on a screen at the New York Stock Exchange during afternoon trading on August 02, 2024 in New York City.
    Image attribution tooltip
    Michael M. Santiago via Getty Images
    Image attribution tooltip

    Goldman, Apple to pay CFPB $89.8M over Apple Card issues

    The bank and tech firm failed to address disputed transactions from their joint Apple Card program, the bureau alleged, and misled cardholders about interest-bearing products.

    By Gabrielle Saulsbery • Oct. 23, 2024
  • The Federal Reserve building at sunset.
    Image attribution tooltip
    Douglas Rissing via Getty Images
    Image attribution tooltip

    9 crucial reactions to the capital requirements preview

    BofA and JPMorgan execs talk death, despair and a lack of specifics, while lawmakers and regulators appear to fall along party lines in the snowballing fight over the Basel endgame.

    By Dan Ennis • Sept. 11, 2024

Company Announcements

View all | Post a press release
Agent IQ and Narmi Announce Strategic Partnership to Improve Digital Banking Experiences
From Agent IQ
October 31, 2024
Unitus Community Credit Union Deploys JUDI.AI to Scale Small Business Lending
From JUDI.AI
October 31, 2024
WyHy Federal Credit Union Goes Digital with Narmi Account Opening
From Narmi
October 29, 2024
Agent IQ and Narmi Announce Strategic Partnership to Improve Digital Banking Experiences
From Narmi
October 31, 2024
Editors' picks
  • Woman stands under TD Bank sign.
    Image attribution tooltip
    Drew Angerer via Getty Images
    Image attribution tooltip

    TD hit with asset cap, $3B in penalties over AML woes

    The bank will pay $1.8 billion to the Justice Department, $1.3 billion to FinCEN, and growth will be restricted in the bank’s U.S. retail unit.

    By Dan Ennis and Gabrielle Saulsbery • Oct. 10, 2024
  • Michael Barr, the Federal Reserve's vice chair for supervision, speaks during a congressional hearing, while sitting next to Martin Gruenberg, chair of the FDIC and Michael Hsu, acting comptroller of the currency
    Image attribution tooltip
    Kevin Dietsch / Staff via Getty Images
    Image attribution tooltip

    Did regulators send warning shot at already roiled BaaS space?

    It’s clear the Synapse debacle was on regulators’ minds when they issued last week’s statement highlighting risks associated with banks’ third-party partnerships, analysts said.

    By Caitlin Mullen • July 31, 2024
Latest in Regulations & Policy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell